Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2109 to the following vulnerability: field.c in the libid3tag 0.15.0b library allows context-dependent attackers to cause a denial of service (CPU consumption) via an ID3_FIELD_TYPE_STRINGLIST field that ends in '\0', which triggers an infinite loop. Refences: http://bugs.gentoo.org/show_bug.cgi?id=210564 http://www.mars.org/mailman/public/mad-dev/2008-January/001366.html
Reproducer can be found in Gentoo bug, patch in report sent to mad-dev list. Package is in Fedora and EPEL5.
libid3tag-0.15.1b-6.fc9 has been submitted as an update for Fedora 9
libid3tag-0.15.1b-5.fc8 has been submitted as an update for Fedora 8
libid3tag-0.15.1b-5.fc7 has been submitted as an update for Fedora 7
libid3tag-0.15.1b-6.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
libid3tag-0.15.1b-5.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
libid3tag-0.15.1b-5.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3976 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-3757