Ubuntu has issued an advisory on June 28: https://ubuntu.com/security/notices/USN-6855-1 Mageia 9 is also affected.
CVE: (none) => CVE-2024-36600Whiteboard: (none) => MGA9TOOStatus comment: (none) => Patch available from UbuntuSource RPM: (none) => libcdio-2.1.0-4.mga9.src.rpm
Assignee: bugsquad => nicolas.salguero
Suggested advisory: ======================== The updated packages fix a security vulnerability: Buffer Overflow Vulnerability in libcdio v2.1.0 allows an attacker to execute arbitrary code via a crafted ISO 9660 image file. (CVE-2024-36600) References: https://ubuntu.com/security/notices/USN-6855-1 ======================== Updated packages in core/updates_testing: ======================== lib(64)cdio++1-2.1.0-4.1.mga9 lib(64)cdio19-2.1.0-4.1.mga9 lib(64)cdio-devel-2.1.0-4.1.mga9 lib(64)iso9660++0-2.1.0-4.1.mga9 lib(64)iso9660_11-2.1.0-4.1.mga9 lib(64)udf0-2.1.0-4.1.mga9 libcdio-apps-2.1.0-4.1.mga9 from SRPM: libcdio-2.1.0-4.1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)Version: Cauldron => 9Assignee: nicolas.salguero => qa-bugsStatus: NEW => ASSIGNEDStatus comment: Patch available from Ubuntu => (none)
Keywords: (none) => advisory
RH mageia 9 x86_64 LC_ALL=C urpmi --auto --auto-update medium "QA Testing (32-bit)" is up-to-date medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date medium "BDK-Free-x86_64" is up-to-date medium "BDK-Free-noarch" is up-to-date medium "BDK-NonFree-x86_64" is up-to-date installing lib64cdio19-2.1.0-4.1.mga9.x86_64.rpm lib64udf0-2.1.0-4.1.mga9.x86_64.rpm libcdio-apps-2.1.0-4.1.mga9.x86_64.rpm lib64iso9660_11-2.1.0-4.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/4: lib64cdio19 ################################################################################################## 2/4: lib64udf0 ################################################################################################## 3/4: lib64iso9660_11 ################################################################################################## 4/4: libcdio-apps ################################################################################################## 1/4: removing libcdio-apps-2.1.0-4.mga9.x86_64 ################################################################################################## 2/4: removing lib64iso9660_11-2.1.0-4.mga9.x86_64 ################################################################################################## 3/4: removing lib64udf0-2.1.0-4.mga9.x86_64 ################################################################################################## 4/4: removing lib64cdio19-2.1.0-4.mga9.x86_64 ################################################################################################## Iām not sure what to do with POC file
Whiteboard: (none) => MGA9-64-OKCC: (none) => andrewsfarm
Understanding how to test the POC is beyond me, too. Len Lawrence tested a previous libcdio update in Bug 22740 Comment 4. Different POCs that time, but it gives some commands for testing function. They would be better than nothing.
RH mageia 9 x86_64 iso-info PoC-libcdio-bof.iso iso-info version 2.1.0 x86_64-mageia-linux-gnu Copyright (c) 2003-2005, 2007-2008, 2011-2015, 2017 R. Bernstein This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. __________________________________ ISO 9660 image: PoC-libcdio-bof.iso Preparer : XORRISO-1.5.2 2019.10.26.180001, LIBISOBURN-1.5.2, LIBISOFS-1.5.2, LIBBURN-1.5.2 Volume : Ubuntu 22.04.2 LTS amd64 Joliet Level: 3 The above info was similar before the update iso-info ~/Descargas/Mageia-8-i586.iso iso-info version 2.1.0 x86_64-mageia-linux-gnu Copyright (c) 2003-2005, 2007-2008, 2011-2015, 2017 R. Bernstein This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. __________________________________ ISO 9660 image: /home/katnatek/Descargas/Mageia-8-i586.iso Application : GNU xorriso 1.5.0 Preparer : drakiso Publisher : Mageia.Org System : Linux Volume : Mageia-8-i586 Joliet Level: 3 Can't test the output of cd-info /dev/sr0 because I not have optical drive in this system if you require I'll test on my i586 where I have one
Created attachment 14581 [details] Outputs of iso-info -i With -i the command gives a lot more of info for the mageia image I put it in attachment
Thanks for the extra effort. Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0252.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED