libcdio: User-assisted execution of arbitrary code — GLSA 200801-08

A buffer overflow vulnerability has been discovered in libcdio.

Affected Packages

dev-libs/libcdio on all architectures
Affected versions < 0.78.2-r4
Unaffected versions >= 0.78.2-r4

Background

libcdio is a library for accessing CD-ROM and CD images.

Description

Devon Miller reported a boundary error in the "print_iso9660_recurse()" function in files cd-info.c and iso-info.c when processing long filenames within Joliet images.

Impact

A remote attacker could entice a user to open a specially crafted ISO image in the cd-info and iso-info applications, resulting in the execution of arbitrary code with the privileges of the user running the application. Applications linking against shared libraries of libcdio are not affected.

Workaround

There is no known workaround at this time.

Resolution

All libcdio users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-libs/libcdio-0.78.2-r4"

References

Release Date
January 20, 2008

Latest Revision
January 20, 2008: 01

Severity
normal

Exploitable
remote

Bugzilla entries