Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 648954 (CVE-2017-18201) - <dev-libs/libcdio-2.0.0: Double free (CVE-2017-18201)
Summary: <dev-libs/libcdio-2.0.0: Double free (CVE-2017-18201)
Status: IN_PROGRESS
Alias: CVE-2017-18201
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://git.savannah.gnu.org/cgit/lib...
Whiteboard: B3 [glsa? cve stable]
Keywords: STABLEREQ
: 671964 672230 (view as bug list)
Depends on: 673174
Blocks: 650898 672392 672356 673074
  Show dependency tree
 
Reported: 2018-02-27 15:00 UTC by Demetris Nakos (sokan)
Modified: 2019-04-06 13:37 UTC (History)
6 users (show)

See Also:
Package list:
=dev-libs/libcdio-2.0.0-r1 =media-video/vcdimager-2.0.1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Demetris Nakos (sokan) 2018-02-27 15:00:17 UTC
An issue was discovered in GNU libcdio before 2.0.0. There is a double free in get_cdtext_generic() in lib/driver/_cdio_generic.c. 

Commit/patch: https://git.savannah.gnu.org/cgit/libcdio.git/commit/?id=dec2f876c2d7162da213429bce1a7140cdbdd734

- Gentoo Security Padawan -
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-02-27 15:14:43 UTC
Note that the patch was actually commit https://git.savannah.gnu.org/cgit/libcdio.git/commit/?id=dec2f876c2d7162da213429bce1a7140cdbdd734.

It is present in v2.0.0 which is already available in Gentoo repository.


@ Maintainer(s): Can we stabilize =dev-libs/libcdio-2.0.0?
Comment 2 Arfrever Frehtes Taifersar Arahesis 2018-02-28 02:33:41 UTC
>=libcdio-1.0 had incompatible changes in API, and not all reverse dependencies have been fixed yet (bug 638682, bug 641078, bug 641470).
Better to backport that simple one-line fix to older version.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-08 21:50:43 UTC
What's the way forward here?  Do the maintainers want to backport the patch?
Comment 5 Andreas Sturmlechner gentoo-dev 2018-04-08 22:19:20 UTC
Adding =media-video/vcdimager-2.0.1 to the list as it should be stabilised in lockstep.
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-11-29 21:43:21 UTC
@arches, please stabilize.
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-11-30 20:28:47 UTC
*** Bug 672230 has been marked as a duplicate of this bug. ***
Comment 8 Andreas Sturmlechner gentoo-dev 2018-12-01 19:12:56 UTC
*** Bug 671964 has been marked as a duplicate of this bug. ***
Comment 9 Ortwin Glueck 2018-12-03 16:43:52 UTC
media-libs/xine-lib broken too #672458
Comment 10 Agostino Sarubbo gentoo-dev 2018-12-04 11:57:12 UTC
amd64 stable
Comment 11 Thomas Deutschmann gentoo-dev Security 2018-12-07 02:42:24 UTC
x86 stable
Comment 12 Rolf Eike Beer 2018-12-15 14:17:36 UTC
sparc stable
Comment 13 Markus Meier gentoo-dev 2018-12-18 21:06:52 UTC
arm stable
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-24 19:49:44 UTC
Depends removed.  This has since been stabilized.
Comment 15 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-24 20:11:27 UTC
(In reply to Aaron Bauman from comment #14)
> Depends removed.  This has since been stabilized.

nvm.  I see vcdimager which was not stabilized due to test failures.  Why the dependency and stabilization together if it wasn't needed...
Comment 16 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-06 13:37:06 UTC
alpha stable