Hide Forgot
Description of problem: A buffer overrun in cd-info and libcdio was uncovered when one reads a disk/image with a long joilet filename. Please see URL [1] and the Gentoo bugreport [2] for more information and the patch (should be in upstream CVS now). Version-Release number of selected component (if applicable): dist-f8-updates:libcdio-0.78.2-3.fc8 dist-f9-build:libcdio-0.78.2-3.fc8 dist-fc7-updates:libcdio-0.78.2-2.fc7 Steps to Reproduce: mkdir -p tmp/dir1 touch tmp/dir1/file_with_really_really_long_silly_name_to_test_iso_info_buffer mkisofs -J -R -volid My_Image -o test.iso tmp iso-info -l test.iso Additional info: A fair number of applications link against libcdio (and also Livna ones). Please do the update for all affected branches as soon as possible! kover-0:3-2.x86_64 oxine-0:0.7.0-1.fc8.x86_64 libcddb-0:1.3.0-2.fc8.i386 libcddb-0:1.3.0-2.fc8.x86_64 libcdio-devel-0:0.78.2-3.fc8.i386 libcdio-0:0.78.2-3.fc8.x86_64 libcdio-devel-0:0.78.2-3.fc8.x86_64 libcdio-0:0.78.2-3.fc8.i386 gstreamer-plugins-good-0:0.10.6-6.fc8.x86_64
[1] http://lists.gnu.org/archive/html/libcdio-devel/2007-12/msg00009.html [2] http://bugs.gentoo.org/show_bug.cgi?id=203777
Actually, this is not that serious. The applications that use libcdio are not vulnerable, as the problem lies in iso-info program only.
libcdio-0.78.2-4.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
libcdio-0.78.2-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue got CVE name CVE-2007-6613
Robert Buchholz pointed out that original patch has an issue: The original patches are off by two in the size calculation, as they calculate strlen(psz_iso_name+1) instead of strlen(psz_iso_name)+1 This was reported by bannedit. Updates: http://cvs.savannah.gnu.org/viewvc/libcdio/src/iso-info.c?root=libcdio&r1=1.36&r2=1.37 http://cvs.savannah.gnu.org/viewvc/libcdio/src/cd-info.c?root=libcdio&r1=1.150&r2=1.151 Discussion in the referenced Gentoo bug.
I have fixed it in CVS and will make updates available for EL-5, F-7, F-8 and rawhide.
this is top level bug for tracking this issue across all red hat products and services, (reopening)
Updates pushed to Fedora as: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-0104 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-0136 + off-by-two fix: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-0258 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-0242 Fixed now across all products.
Reporter changed to security-response-team by request of Jay Turner.