Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 7 Nov 2008 18:25:26 +0100
From: Tomas Hoger <>
Subject: Re: CVE request: libcdaudio

On Wed, 5 Nov 2008 09:07:23 +0100 Thomas Biege <> wrote:

> we need a CVE-ID for a buffer overflow in libcdaudio.
> It is a remotely exploitable heap-based buffer overflow.

If you have been using libcdaudio packages based on ATrpms / Fedora,
you may have libcdaudio-0.99.12-buffovfl.patch, which addresses the
same issue, it only mallocs more instead of fgetsing less.

This issue does not seem to affect CDDB code used by grip/gnome-vfs2,
which may have common origin and previously had some flaws identical to
libcdaudio (see below).

Additionally, if you are shipping libcdaudio, you may be interested in
patch for CVE-2005-0706 used by Gentoo:

According to the libcdaudio home page, upstream seems to be aware of
this issue, as they acknowledge having security issues and even link to
old Gentoo GLSA.

Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ