| Summary: | libcdio new security issue CVE-2024-36600 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, sysadmin-bugs |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | libcdio-2.1.0-4.mga9.src.rpm | CVE: | CVE-2024-36600 |
| Status comment: | |||
| Attachments: | Outputs of iso-info -i | ||
|
Description
Nicolas Salguero
2024-07-01 15:32:05 CEST
Nicolas Salguero
2024-07-01 15:32:31 CEST
CVE:
(none) =>
CVE-2024-36600
Nicolas Salguero
2024-07-01 16:04:51 CEST
Assignee:
bugsquad =>
nicolas.salguero Suggested advisory: ======================== The updated packages fix a security vulnerability: Buffer Overflow Vulnerability in libcdio v2.1.0 allows an attacker to execute arbitrary code via a crafted ISO 9660 image file. (CVE-2024-36600) References: https://ubuntu.com/security/notices/USN-6855-1 ======================== Updated packages in core/updates_testing: ======================== lib(64)cdio++1-2.1.0-4.1.mga9 lib(64)cdio19-2.1.0-4.1.mga9 lib(64)cdio-devel-2.1.0-4.1.mga9 lib(64)iso9660++0-2.1.0-4.1.mga9 lib(64)iso9660_11-2.1.0-4.1.mga9 lib(64)udf0-2.1.0-4.1.mga9 libcdio-apps-2.1.0-4.1.mga9 from SRPM: libcdio-2.1.0-4.1.mga9.src.rpm Whiteboard:
MGA9TOO =>
(none)
katnatek
2024-07-01 21:39:04 CEST
Keywords:
(none) =>
advisory RH mageia 9 x86_64
LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date
medium "BDK-Free-x86_64" is up-to-date
medium "BDK-Free-noarch" is up-to-date
medium "BDK-NonFree-x86_64" is up-to-date
installing lib64cdio19-2.1.0-4.1.mga9.x86_64.rpm lib64udf0-2.1.0-4.1.mga9.x86_64.rpm libcdio-apps-2.1.0-4.1.mga9.x86_64.rpm lib64iso9660_11-2.1.0-4.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing... ##################################################################################################
1/4: lib64cdio19 ##################################################################################################
2/4: lib64udf0 ##################################################################################################
3/4: lib64iso9660_11 ##################################################################################################
4/4: libcdio-apps ##################################################################################################
1/4: removing libcdio-apps-2.1.0-4.mga9.x86_64
##################################################################################################
2/4: removing lib64iso9660_11-2.1.0-4.mga9.x86_64
##################################################################################################
3/4: removing lib64udf0-2.1.0-4.mga9.x86_64
##################################################################################################
4/4: removing lib64cdio19-2.1.0-4.mga9.x86_64
##################################################################################################
I’m not sure what to do with POC fileWhiteboard:
(none) =>
MGA9-64-OK Understanding how to test the POC is beyond me, too. Len Lawrence tested a previous libcdio update in Bug 22740 Comment 4. Different POCs that time, but it gives some commands for testing function. They would be better than nothing. RH mageia 9 x86_64 iso-info PoC-libcdio-bof.iso iso-info version 2.1.0 x86_64-mageia-linux-gnu Copyright (c) 2003-2005, 2007-2008, 2011-2015, 2017 R. Bernstein This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. __________________________________ ISO 9660 image: PoC-libcdio-bof.iso Preparer : XORRISO-1.5.2 2019.10.26.180001, LIBISOBURN-1.5.2, LIBISOFS-1.5.2, LIBBURN-1.5.2 Volume : Ubuntu 22.04.2 LTS amd64 Joliet Level: 3 The above info was similar before the update iso-info ~/Descargas/Mageia-8-i586.iso iso-info version 2.1.0 x86_64-mageia-linux-gnu Copyright (c) 2003-2005, 2007-2008, 2011-2015, 2017 R. Bernstein This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. __________________________________ ISO 9660 image: /home/katnatek/Descargas/Mageia-8-i586.iso Application : GNU xorriso 1.5.0 Preparer : drakiso Publisher : Mageia.Org System : Linux Volume : Mageia-8-i586 Joliet Level: 3 Can't test the output of cd-info /dev/sr0 because I not have optical drive in this system if you require I'll test on my i586 where I have one Created attachment 14581 [details]
Outputs of iso-info -i
With -i the command gives a lot more of info for the mageia image
I put it in attachment
Thanks for the extra effort. Validating. CC:
(none) =>
sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0252.html Status:
ASSIGNED =>
RESOLVED |