oss-sec mailing list archives

Re: CVE request: libcdaudio

From: Thomas Biege <thomas () suse de>
Date: Tue, 11 Nov 2008 09:25:39 +0100

Hello Tomas,

On Fri, Nov 07, 2008 at 06:25:26PM +0100, Tomas Hoger wrote:

On Wed, 5 Nov 2008 09:07:23 +0100 Thomas Biege <thomas () suse de> wrote:

we need a CVE-ID for a buffer overflow in libcdaudio.
It is a remotely exploitable heap-based buffer overflow.

...

Additionally, if you are shipping libcdaudio, you may be interested in
patch for CVE-2005-0706 used by Gentoo:

http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-libs/libcdaudio/files/libcdaudio-0.99-CAN-2005-0706.patch

According to the libcdaudio home page, upstream seems to be aware of
this issue, as they acknowledge having security issues and even link to
old Gentoo GLSA.


Our package contains this patch. Thanks for the references.

-- 
Bye,
     Thomas
-- 
 Thomas Biege <thomas () suse de>, SUSE LINUX, Security Support & Auditing
 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
-- 
           Hamming's Motto:
           The purpose of computing is insight, not numbers.
                                -- Richard W. Hamming

Current thread:

CVE request: libcdaudio Thomas Biege (Nov 04)
- Re: CVE request: libcdaudio Tomas Hoger (Nov 07)
  - Re: CVE request: libcdaudio Thomas Biege (Nov 11)
- Re: CVE request: libcdaudio Steven M. Christey (Nov 10)
  - Re: CVE request: libcdaudio Tomas Hoger (Nov 11)
    - Re: CVE request: libcdaudio Thomas Biege (Nov 11)