Source: libcdio Version: 2.2.0-4 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/libcdio/libcdio/pull/32 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for libcdio. CVE-2024-36600[0]: | Buffer Overflow Vulnerability in libcdio 2.2.0 (fixed in 2.3.0) | allows an attacker to execute arbitrary code via a crafted ISO 9660 | image file. As discussed on the security contact the entry was wrong (maye got wrong over time, not checked), but trixie and above are now indeed vulnerable to the issue. So filling a bug for tracking and already updated the security-tracker information. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-36600 https://www.cve.org/CVERecord?id=CVE-2024-36600 [1] https://github.com/libcdio/libcdio/pull/32 [2] https://github.com/libcdio/libcdio/commit/417478a7474af41c27ab3f876f31783fa06a5dbc Regards, Salvatore
