Your message dated Sat, 16 May 2026 10:23:17 +0000
with message-id <[email protected]>
and subject line Released with 13.5
has caused the Debian Bug report #1134262,
regarding trixie-pu: package libcdio/2.2.0-4.1~deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1134262: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134262
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], Gabriel F. T. Gomes
<[email protected]>, [email protected]
Control: affects -1 + src:libcdio
User: [email protected]
Usertags: pu
[ Reason ]
libcdio in trixie is prone to CVE-2024-36600, which on it's own did
not warrant a DSA but would be good to have fixed in trixie.
[ Impact ]
trixie affected by CVE-2024-36600.
[ Tests ]
A manual test with a iso triggering the issue. Additional tested on
debusine via: https://debusine.debian.net/debian/developers/work-request/616213/
[ Risks ]
Isolated fix, with patch upstream. I would say low risk, but the
change is not extensively tested by tests on autopkgtests from revers
edependencies.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Fix the overrun for Joliet filenames.
[ Other info ]
The package has not yet migrated to testing with the fix, but should
happen in a few days.
Regards,
Salvatore
diff -Nru libcdio-2.2.0/debian/changelog libcdio-2.2.0/debian/changelog
--- libcdio-2.2.0/debian/changelog 2025-04-03 05:13:22.000000000 +0200
+++ libcdio-2.2.0/debian/changelog 2026-04-17 22:26:52.000000000 +0200
@@ -1,3 +1,16 @@
+libcdio (2.2.0-4.1~deb13u1) trixie; urgency=medium
+
+ * Rebuild for trixie
+
+ -- Salvatore Bonaccorso <[email protected]> Fri, 17 Apr 2026 22:26:52 +0200
+
+libcdio (2.2.0-4.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix buffer overrun for Joliet filenames (CVE-2024-36600) (Closes: #1129256)
+
+ -- Salvatore Bonaccorso <[email protected]> Fri, 17 Apr 2026 21:01:39 +0200
+
libcdio (2.2.0-4) unstable; urgency=medium
* Remove "Multi-Arch: same" from -dev packages (Closes: #897327)
diff -Nru
libcdio-2.2.0/debian/patches/Fix-buffer-overrun-for-Joliet-filenames.patch
libcdio-2.2.0/debian/patches/Fix-buffer-overrun-for-Joliet-filenames.patch
--- libcdio-2.2.0/debian/patches/Fix-buffer-overrun-for-Joliet-filenames.patch
1970-01-01 01:00:00.000000000 +0100
+++ libcdio-2.2.0/debian/patches/Fix-buffer-overrun-for-Joliet-filenames.patch
2026-04-17 20:51:17.000000000 +0200
@@ -0,0 +1,33 @@
+From: Yuxin Wang <[email protected]>
+Date: Sun, 13 Jul 2025 13:53:17 +0800
+Subject: Fix buffer overrun for Joliet filenames
+Origin:
https://github.com/libcdio/libcdio/commit/417478a7474af41c27ab3f876f31783fa06a5dbc
+Bug-Debian: https://bugs.debian.org/1129256
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-36600
+
+Joliet uses UCS-2 (2 bytes per character), and converting to UTF-8
+may require up to 3 bytes per character. This patch increases the
+buffer size by i_fname/2 to prevent buffer overrun.
+---
+ lib/iso9660/iso9660_fs.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/lib/iso9660/iso9660_fs.c b/lib/iso9660/iso9660_fs.c
+index aa5adb6db74a..586b7435ac26 100644
+--- a/lib/iso9660/iso9660_fs.c
++++ b/lib/iso9660/iso9660_fs.c
+@@ -859,6 +859,11 @@ _iso9660_dir_to_statbuf (iso9660_dir_t *p_iso9660_dir,
+
+ /* .. string in statbuf is one longer than in p_iso9660_dir's listing '\1'
*/
+ stat_len = sizeof(iso9660_stat_t) + i_fname + 2;
++#ifdef HAVE_JOLIET
++ if (u_joliet_level) {
++ stat_len += i_fname / 2;
++ }
++#endif
+
+ /* Reuse multiextent p_stat if not NULL */
+ if (!p_stat) {
+--
+2.53.0
+
diff -Nru libcdio-2.2.0/debian/patches/series
libcdio-2.2.0/debian/patches/series
--- libcdio-2.2.0/debian/patches/series 2025-04-03 05:13:22.000000000 +0200
+++ libcdio-2.2.0/debian/patches/series 2026-04-17 21:00:31.000000000 +0200
@@ -1,2 +1,3 @@
use-ncursesw.patch
arm-t64-redirect-fix.patch
+Fix-buffer-overrun-for-Joliet-filenames.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.5
This update has been released as part of Debian 13.5.
--- End Message ---
