Hi Nico and others, On Sun, Jan 20, 2008 at 02:31:39PM +0100, Nico Golde wrote: > Hi, > the following CVE (Common Vulnerabilities & Exposures) id was > published for libcdio some time ago. > > CVE-2007-6613[0]: > | Stack-based buffer overflow in the print_iso9660_recurse function in > | iso-info (src/iso-info.c) in GNU Compact Disc Input and Control > | Library (libcdio) 0.79 and earlier allows context-dependent attackers > | to cause a denial of service (core dump) and possibly execute > | arbitrary code via a disk or image that contains a long joilet file > | name. > > Unfortunately the vulnerability described above is not important enough > to get it fixed via regular security update in Debian stable. It does > not warrant a DSA. > > However it would be nice if this could get fixed via a regular point > update[1]. > Please contact the release team for this.
I don't think an update is needed. The issue only affects the cd-info and iso-info programs, that were not part of any binary package package before 0.78.2-1. (Etch has 0.76-1.) Hence, only the source package is affected (that is anyone who builds the programs from the source package). Is it something we should support? Cheers, Nicolas PS: please CC replies to me. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
