Fedora has issued an advisory on March 6: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NHBEK7JWO4GCS73UAOQOUFGTMIIMYYTR/ The issues were fixed upstream in 1.0.0 and 2.0.0. Mageia 5 is also affected.
Status comment: (none) => Patches available from FedoraWhiteboard: (none) => MGA5TOO
Assigning to the registered maintainer.
Component: RPM Packages => SecurityAssignee: bugsquad => shlomifCC: (none) => marja11QA Contact: (none) => security
2.0.0 was submitted to mga7 fixing this.
Blocks: (none) => 22902
Patched version also submitted by Shlomi to fix this for Mageia 6. Advisory: ======================== Updated libcdio packages fix security vulnerabilities: A heap corruption bug was found in the way libcdio handled processing of ISO files. An attacker could potentially use this flaw to crash applications using libcdio by tricking them into processing crafted ISO files, thus resulting in local DoS (CVE-2017-18198). A NULL pointer dereference flaw was found in the way libcdio handled processing of ISO files. An attacker could potentially use this flaw to crash applications using libcdio by tricking them into processing crafted ISO files (CVE-2017-18199). A double-free flaw was found in the way libcdio handled processing of ISO files. An attacker could potentially use this flaw to crash applications using libcdio by tricking them into processing crafted ISO files (CVE-2017-18201). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18198 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18199 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18201 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NHBEK7JWO4GCS73UAOQOUFGTMIIMYYTR/ ======================== Updated packages in core/updates_testing: ======================== libcdio-apps-0.94-1.1.mga6 libcdio16-0.94-1.1.mga6 libcdio-devel-0.94-1.1.mga6 libcdio-static-devel-0.94-1.1.mga6 libiso9660_10-0.94-1.1.mga6 libcdio++0-0.94-1.1.mga6 libudf0-0.94-1.1.mga6 from libcdio-0.94-1.1.mga6.src.rpm
Whiteboard: MGA5TOO => (none)Assignee: shlomif => qa-bugsCC: (none) => shlomifStatus comment: Patches available from Fedora => (none)
Mageia 6, x86_64 Pre-updates: CVE-2017-18198 PoC at https://savannah.gnu.org/bugs/?52265 $ iso-info -i cdio.print_iso9660_recurse.iso-info.257.crash This output information about the file. It was punctuated by many 'broken byte order' messages and ended with ++ WARN: Bad directory information for 0000000000000000000000000 Error getting above directory information CVE-2017-18199 PoC at https://savannah.gnu.org/bugs/?52264 $ iso-info -i cdio.realloc_symlink.rock.69.crash .................................... ISO 9660 image: cdio.realloc_symlink.rock.69.crash System : LINUX Volume : CDROM Volume Set : ���� No Joliet extensions __________________________________ ISO-9660 Information ++ WARN: from_733: broken byte order ++ WARN: Symlink component flag not implemented Segmentation fault (core dumped) CVE-2017-18201 No PoC file available but https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887640 talks about running cd-info with commercial music CDs and gdb. I tried a Cyndi Lauper disk without gdb and saw only normal information - no aborts or double-free errors. A valgrind report looked clean; tail-end: ==5875== HEAP SUMMARY: ==5875== in use at exit: 0 bytes in 0 blocks ==5875== total heap usage: 4,503 allocs, 4,503 frees, 511,229 bytes allocated ==5875== ==5875== All heap blocks were freed -- no leaks are possible ==5875== ==5875== For counts of detected and suppressed errors, rerun with: -v ==5875== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) ------------------------------------------------------------------------------ Updated the packages: - lib64cdio++0-0.94-1.1.mga6.x86_64 - lib64cdio-devel-0.94-1.1.mga6.x86_64 - lib64cdio-static-devel-0.94-1.1.mga6.x86_64 - lib64cdio16-0.94-1.1.mga6.x86_64 - lib64iso9660_10-0.94-1.1.mga6.x86_64 - lib64udf0-0.94-1.1.mga6.x86_64 - libcdio-apps-0.94-1.1.mga6.x86_64 CVE-2017-18198 $ iso-info -i cdio.print_iso9660_recurse.iso-info.257.crash Returned a much shorter report with a more precise error message: ISO-9660 Information ++ WARN: from_733: broken byte order ++ WARN: Invalid directory stat at offset 212 Error getting above directory information That looks like a good result. CVE-2017-18199 $ iso-info -i cdio.realloc_symlink.rock.69.crash Again, a terse report ending with this: ISO-9660 Information ++ WARN: from_733: broken byte order ++ WARN: Invalid directory stat at offset 0 Error getting above directory information No segfault, so this is good. $ cd-info /dev/sr0 worked as before ending with a full track listing. Not sure how to test functionality of the libraries other than obtaining reports. $ iso-info -i Mageia-5.1-i586-DVD.iso This generated a complete listing of all the files contained in the iso file, 4441 lines. ISO 9660 image: Mageia-5.1-i586-DVD.iso Application : Mageia 5.1 Preparer : Mageia BCD Publisher : Mageia System : Mageia Volume : Mageia-5.1-i586 Volume Set : Mageia 5.1 - i586 DVD Joliet Level: 3 __________________________________ ISO-9660 Information 80 /autorun.inf 2048 /boot.catalog 2048 /dosutils ....................... 38360 /isolinux/welcome.jpg 12735 /isolinux/xh.hlp 11597 /isolinux/zh_CN.hlp 10644 /isolinux/zh_TW.hlp 27351224 /isolinux/i386/all.rdz 4374752 /isolinux/i386/vmlinuz Hoping this is enough for an OK.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0209.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED