oss-sec mailing list archives
Re: CVE request: libcdaudio
From: Thomas Biege <thomas () suse de>
Date: Tue, 11 Nov 2008 09:25:39 +0100
Hello Tomas, On Fri, Nov 07, 2008 at 06:25:26PM +0100, Tomas Hoger wrote:
On Wed, 5 Nov 2008 09:07:23 +0100 Thomas Biege <thomas () suse de> wrote:we need a CVE-ID for a buffer overflow in libcdaudio. It is a remotely exploitable heap-based buffer overflow.
...
Additionally, if you are shipping libcdaudio, you may be interested in patch for CVE-2005-0706 used by Gentoo: http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-libs/libcdaudio/files/libcdaudio-0.99-CAN-2005-0706.patch According to the libcdaudio home page, upstream seems to be aware of this issue, as they acknowledge having security issues and even link to old Gentoo GLSA.
Our package contains this patch. Thanks for the references.
--
Bye,
Thomas
--
Thomas Biege <thomas () suse de>, SUSE LINUX, Security Support & Auditing
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
--
Hamming's Motto:
The purpose of computing is insight, not numbers.
-- Richard W. Hamming
Current thread:
- CVE request: libcdaudio Thomas Biege (Nov 04)
- Re: CVE request: libcdaudio Tomas Hoger (Nov 07)
- Re: CVE request: libcdaudio Thomas Biege (Nov 11)
- Re: CVE request: libcdaudio Steven M. Christey (Nov 10)
- Re: CVE request: libcdaudio Tomas Hoger (Nov 11)
- Re: CVE request: libcdaudio Thomas Biege (Nov 11)
- Re: CVE request: libcdaudio Tomas Hoger (Nov 11)
- Re: CVE request: libcdaudio Tomas Hoger (Nov 07)