Re: CVE request: libcdaudio

[Tomas Hoger <thoger () redhat com>]

On Wed, 5 Nov 2008 09:07:23 +0100 Thomas Biege <thomas () suse de> wrote:

> we need a CVE-ID for a buffer overflow in libcdaudio.
> It is a remotely exploitable heap-based buffer overflow.

If you have been using libcdaudio packages based on ATrpms / Fedora,
you may have libcdaudio-0.99.12-buffovfl.patch, which addresses the
same issue, it only mallocs more instead of fgetsing less.

http://cvs.fedoraproject.org/viewvc/rpms/libcdaudio/devel/libcdaudio-0.99.12-buffovfl.patch

This issue does not seem to affect CDDB code used by grip/gnome-vfs2,
which may have common origin and previously had some flaws identical to
libcdaudio (see below).

Additionally, if you are shipping libcdaudio, you may be interested in
patch for CVE-2005-0706 used by Gentoo:

http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-libs/libcdaudio/files/libcdaudio-0.99-CAN-2005-0706.patch

According to the libcdaudio home page, upstream seems to be aware of
this issue, as they acknowledge having security issues and even link to
old Gentoo GLSA.

-- 
Tomas Hoger / Red Hat Security Response Team