+++ This bug was initially created as a clone of Bug #22740 +++ Fedora has issued an advisory on March 6: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NHBEK7JWO4GCS73UAOQOUFGTMIIMYYTR/ The issues were fixed upstream in 1.0.0 and 2.0.0. Patches don't apply cleanly to Mageia 5, so saving this for when they can be rediffed.
Testing info at: https://bugs.mageia.org/show_bug.cgi?id=22740#c4 Advisory: ======================== Updated libcdio packages fix security vulnerabilities: A heap corruption bug was found in the way libcdio handled processing of ISO files. An attacker could potentially use this flaw to crash applications using libcdio by tricking them into processing crafted ISO files, thus resulting in local DoS (CVE-2017-18198). A NULL pointer dereference flaw was found in the way libcdio handled processing of ISO files. An attacker could potentially use this flaw to crash applications using libcdio by tricking them into processing crafted ISO files (CVE-2017-18199). A double-free flaw was found in the way libcdio handled processing of ISO files. An attacker could potentially use this flaw to crash applications using libcdio by tricking them into processing crafted ISO files (CVE-2017-18201). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18198 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18199 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18201 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NHBEK7JWO4GCS73UAOQOUFGTMIIMYYTR/ ======================== Updated packages in core/updates_testing: ======================== libcdio-apps-0.92-3.1.mga5 libcdio15-0.92-3.1.mga5 libcdio-devel-0.92-3.1.mga5 libcdio-static-devel-0.92-3.1.mga5 libiso9660_9-0.92-3.1.mga5 libcdio++0-0.92-3.1.mga5 libudf0-0.92-3.1.mga5 from libcdio-0.92-3.1.mga5.src.rpm
Assignee: shlomif => qa-bugsKeywords: (none) => has_procedure
Testing M5 x64 real hardware, using Len's very helpful POCs and test commands as indicated by David: https://bugs.mageia.org/show_bug.cgi?id=22740#c4 This bug is essentially a re-run of the former one, that for M6, this for M5. CVE-2017-18198 test file URL is: https://savannah.gnu.org/bugs/download.php?file_id=42234 CVE-2017-18199 test file URL is: https://savannah.gnu.org/bugs/download.php?file_id=42233 libcdio-apps has: /usr/bin/cd-drive show CD-ROM drive characteristics /usr/bin/cd-info shows Information about a CD or CD-image /usr/bin/cd-read reads Information from a CD or CD-image /usr/bin/cdda-player ??? /usr/bin/iso-info shows Information about an ISO 9660 image /usr/bin/iso-read reads portions of an ISO 9660 image /usr/bin/mmc-tool ??? BEFORE this update: lib64cdio++0-0.92-3.mga5 lib64cdio15-0.92-3.mga5 lib64iso9660_9-0.92-3.mga5 lib64udf0-0.92-3.mga5 libcdio-apps-0.92-3.mga5 $ iso-info -i cdio.print_iso9660_recurse.iso-info.257.crash iso-info version 0.92 x86_64-mageia-linux-gnu ... ISO 9660 image: cdio.print_iso9660_recurse.iso-info.257.crash System : LINQX Volume : CDROM No Joliet extensions [NOT the same result as before, no WARN, no Error]. $ iso-info -i cdio.realloc_symlink.rock.69.crash iso-info version 0.92 x86_64-mageia-linux-gnu ... __________________________________ ISO 9660 image: cdio.realloc_symlink.rock.69.crash System : LINUX Volume : CDROM Volume Set : ���� No Joliet extensions [NOT the same result as before, no WARNs, no segfault]. $ cd-info /dev/sr0 [with a music CD] cd-info version 0.92 x86_64-mageia-linux-gnu ... CD location : /dev/sr0 CD driver name: GNU/Linux access mode: IOCTL ...lots of info about the device Media Catalog Number (MCN): 0000007479472 Last CD Session LSN: 0 audio status: invalid __________________________________ CD Analysis Report Audio CD, CDDB disc ID is fe0f4914 ...lots of info about the CD No CD-TEXT on Disc. ==================================== AFTER the update: - lib64cdio++0-0.92-3.1.mga5.x86_64 - lib64cdio15-0.92-3.1.mga5.x86_64 - lib64iso9660_9-0.92-3.1.mga5.x86_64 - lib64udf0-0.92-3.1.mga5.x86_64 - libcdio-apps-0.92-3.1.mga5.x86_64 $ iso-info -i cdio.print_iso9660_recurse.iso-info.257.crash O/P identical to before. $ iso-info -i cdio.realloc_symlink.rock.69.crash O/P identical to before. $ cd-info /dev/sr0 O/P identical to before. all of which only shows no errors, no reversion. --- $ iso-info -l -i /mnt/common/Mageia/Mageia-6-Live-Xfce-i586.iso ... __________________________________ ISO 9660 image: /mnt/common/Mageia/Mageia-6-Live-Xfce-i586.iso Application : GNU xorriso 1.4.8 Preparer : drakiso Publisher : Mageia System : Linux Volume : Mageia-6-Live-Xfce-i586 Joliet Level: 3 __________________________________ ISO-9660 Information ... [like ls -l listing of all the directories/files in the ISO] $ cd-drive cd-drive version 0.92 x86_64-mageia-linux-gnu ... lots of info about the device and its driver. All this looks OK, but I am puzzled about the result differences from the earlier Mageia 6 tests. Here, all results were the same before & after the update - which seems OK.
Whiteboard: (none) => MGA5-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0225.html
Status: NEW => RESOLVEDResolution: (none) => FIXED