Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 648954 (CVE-2017-18201) - <dev-libs/libcdio-2.0.0-r1: Double free (CVE-2017-18201)
Summary: <dev-libs/libcdio-2.0.0-r1: Double free (CVE-2017-18201)
Status: RESOLVED FIXED
Alias: CVE-2017-18201
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://git.savannah.gnu.org/cgit/lib...
Whiteboard: B3 [noglsa cve]
Keywords:
: 671964 672230 (view as bug list)
Depends on: 673174
Blocks: 650898 672356 672392 673074 710264
  Show dependency tree
 
Reported: 2018-02-27 15:00 UTC by Demetris Nakos (sokan)
Modified: 2020-07-29 00:42 UTC (History)
2 users (show)

See Also:
Package list:
=dev-libs/libcdio-2.0.0-r1 =media-video/vcdimager-2.0.1
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Demetris Nakos (sokan) 2018-02-27 15:00:17 UTC
An issue was discovered in GNU libcdio before 2.0.0. There is a double free in get_cdtext_generic() in lib/driver/_cdio_generic.c. 

Commit/patch: https://git.savannah.gnu.org/cgit/libcdio.git/commit/?id=dec2f876c2d7162da213429bce1a7140cdbdd734

- Gentoo Security Padawan -
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-02-27 15:14:43 UTC
Note that the patch was actually commit https://git.savannah.gnu.org/cgit/libcdio.git/commit/?id=dec2f876c2d7162da213429bce1a7140cdbdd734.

It is present in v2.0.0 which is already available in Gentoo repository.


@ Maintainer(s): Can we stabilize =dev-libs/libcdio-2.0.0?
Comment 2 Arfrever Frehtes Taifersar Arahesis 2018-02-28 02:33:41 UTC
>=libcdio-1.0 had incompatible changes in API, and not all reverse dependencies have been fixed yet (bug 638682, bug 641078, bug 641470).
Better to backport that simple one-line fix to older version.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-08 21:50:43 UTC
What's the way forward here?  Do the maintainers want to backport the patch?
Comment 5 Andreas Sturmlechner gentoo-dev 2018-04-08 22:19:20 UTC
Adding =media-video/vcdimager-2.0.1 to the list as it should be stabilised in lockstep.
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-11-29 21:43:21 UTC
@arches, please stabilize.
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-11-30 20:28:47 UTC
*** Bug 672230 has been marked as a duplicate of this bug. ***
Comment 8 Andreas Sturmlechner gentoo-dev 2018-12-01 19:12:56 UTC
*** Bug 671964 has been marked as a duplicate of this bug. ***
Comment 9 Ortwin Glueck 2018-12-03 16:43:52 UTC
media-libs/xine-lib broken too #672458
Comment 10 Agostino Sarubbo gentoo-dev 2018-12-04 11:57:12 UTC
amd64 stable
Comment 11 Thomas Deutschmann gentoo-dev Security 2018-12-07 02:42:24 UTC
x86 stable
Comment 12 Rolf Eike Beer 2018-12-15 14:17:36 UTC
sparc stable
Comment 13 Markus Meier gentoo-dev 2018-12-18 21:06:52 UTC
arm stable
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-24 19:49:44 UTC
Depends removed.  This has since been stabilized.
Comment 15 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-24 20:11:27 UTC
(In reply to Aaron Bauman from comment #14)
> Depends removed.  This has since been stabilized.

nvm.  I see vcdimager which was not stabilized due to test failures.  Why the dependency and stabilization together if it wasn't needed...
Comment 16 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-06 13:37:06 UTC
alpha stable
Comment 17 Sergei Trofimovich gentoo-dev 2019-12-25 20:53:20 UTC
ppc stable
Comment 18 Andreas Sturmlechner gentoo-dev 2020-02-19 22:23:29 UTC
(In reply to Aaron Bauman from comment #15)
> nvm.  I see vcdimager which was not stabilized due to test failures.  Why
> the dependency and stabilization together if it wasn't needed...

Because obviously vcdimager is going to block cleanup besides being a blocker for stable user upgrades...
Comment 19 Andreas Sturmlechner gentoo-dev 2020-02-19 22:27:16 UTC
See also bug 671964...
Comment 20 Sergei Trofimovich gentoo-dev 2020-03-02 14:13:25 UTC
ignoring test failure and declaring hppa stable
Comment 21 Agostino Sarubbo gentoo-dev 2020-03-31 12:34:27 UTC
ia64 will pass. See https://archives.gentoo.org/gentoo-dev/message/edaadc85d7423810dd6ecfeda29cc85f
Comment 22 Thomas Deutschmann gentoo-dev Security 2020-04-01 19:16:23 UTC
GLSA Vote: No!
Comment 23 Yury German Gentoo Infrastructure gentoo-dev Security 2020-04-16 06:48:08 UTC
PPC64 forgot to remove themselves, version is stable in tree.

Maintainer(s), please drop the vulnerable version(s).
Comment 24 NATTkA bot gentoo-dev 2020-04-16 06:52:06 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 25 Yury German Gentoo Infrastructure gentoo-dev Security 2020-05-21 23:51:31 UTC
Maintainer(s), it has been 30 days + since request for cleanup. 
Please drop the vulnerable version(s).
Comment 26 Sam James gentoo-dev Security 2020-07-27 20:51:49 UTC
ppc64 stable
Comment 27 Larry the Git Cow gentoo-dev 2020-07-29 00:19:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4a0390ce45e2faa0dc97db10c2310a6164bf0cc2

commit 4a0390ce45e2faa0dc97db10c2310a6164bf0cc2
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-29 00:19:24 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-29 00:19:38 +0000

    dev-libs/libcdio: security cleanup
    
    Bug: https://bugs.gentoo.org/648954
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libcdio/Manifest               |  3 --
 dev-libs/libcdio/libcdio-0.93.ebuild    | 73 --------------------------------
 dev-libs/libcdio/libcdio-0.94-r1.ebuild | 73 --------------------------------
 dev-libs/libcdio/libcdio-1.1.0.ebuild   | 75 ---------------------------------
 dev-libs/libcdio/libcdio-2.0.0.ebuild   | 74 --------------------------------
 5 files changed, 298 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cce5ce922fc380cd1bde667ac65c55e253169739

commit cce5ce922fc380cd1bde667ac65c55e253169739
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-29 00:19:23 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-29 00:19:38 +0000

    media-video/vcdimager: cleanup for libcdio security cleanup
    
    Bug: https://bugs.gentoo.org/648954
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 media-video/vcdimager/Manifest                     |   1 -
 .../files/vcdimager-0.7.24-libcdio-1.0.0.patch     | 230 ---------------------
 media-video/vcdimager/vcdimager-0.7.24.ebuild      |  61 ------
 3 files changed, 292 deletions(-)