Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], Gabriel F. T. Gomes <[email protected]>, [email protected] Control: affects -1 + src:libcdio User: [email protected] Usertags: pu
[ Reason ] libcdio in trixie is prone to CVE-2024-36600, which on it's own did not warrant a DSA but would be good to have fixed in trixie. [ Impact ] trixie affected by CVE-2024-36600. [ Tests ] A manual test with a iso triggering the issue. Additional tested on debusine via: https://debusine.debian.net/debian/developers/work-request/616213/ [ Risks ] Isolated fix, with patch upstream. I would say low risk, but the change is not extensively tested by tests on autopkgtests from revers edependencies. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Fix the overrun for Joliet filenames. [ Other info ] The package has not yet migrated to testing with the fix, but should happen in a few days. Regards, Salvatore
diff -Nru libcdio-2.2.0/debian/changelog libcdio-2.2.0/debian/changelog --- libcdio-2.2.0/debian/changelog 2025-04-03 05:13:22.000000000 +0200 +++ libcdio-2.2.0/debian/changelog 2026-04-17 22:26:52.000000000 +0200 @@ -1,3 +1,16 @@ +libcdio (2.2.0-4.1~deb13u1) trixie; urgency=medium + + * Rebuild for trixie + + -- Salvatore Bonaccorso <[email protected]> Fri, 17 Apr 2026 22:26:52 +0200 + +libcdio (2.2.0-4.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix buffer overrun for Joliet filenames (CVE-2024-36600) (Closes: #1129256) + + -- Salvatore Bonaccorso <[email protected]> Fri, 17 Apr 2026 21:01:39 +0200 + libcdio (2.2.0-4) unstable; urgency=medium * Remove "Multi-Arch: same" from -dev packages (Closes: #897327) diff -Nru libcdio-2.2.0/debian/patches/Fix-buffer-overrun-for-Joliet-filenames.patch libcdio-2.2.0/debian/patches/Fix-buffer-overrun-for-Joliet-filenames.patch --- libcdio-2.2.0/debian/patches/Fix-buffer-overrun-for-Joliet-filenames.patch 1970-01-01 01:00:00.000000000 +0100 +++ libcdio-2.2.0/debian/patches/Fix-buffer-overrun-for-Joliet-filenames.patch 2026-04-17 20:51:17.000000000 +0200 @@ -0,0 +1,33 @@ +From: Yuxin Wang <[email protected]> +Date: Sun, 13 Jul 2025 13:53:17 +0800 +Subject: Fix buffer overrun for Joliet filenames +Origin: https://github.com/libcdio/libcdio/commit/417478a7474af41c27ab3f876f31783fa06a5dbc +Bug-Debian: https://bugs.debian.org/1129256 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-36600 + +Joliet uses UCS-2 (2 bytes per character), and converting to UTF-8 +may require up to 3 bytes per character. This patch increases the +buffer size by i_fname/2 to prevent buffer overrun. +--- + lib/iso9660/iso9660_fs.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/iso9660/iso9660_fs.c b/lib/iso9660/iso9660_fs.c +index aa5adb6db74a..586b7435ac26 100644 +--- a/lib/iso9660/iso9660_fs.c ++++ b/lib/iso9660/iso9660_fs.c +@@ -859,6 +859,11 @@ _iso9660_dir_to_statbuf (iso9660_dir_t *p_iso9660_dir, + + /* .. string in statbuf is one longer than in p_iso9660_dir's listing '\1' */ + stat_len = sizeof(iso9660_stat_t) + i_fname + 2; ++#ifdef HAVE_JOLIET ++ if (u_joliet_level) { ++ stat_len += i_fname / 2; ++ } ++#endif + + /* Reuse multiextent p_stat if not NULL */ + if (!p_stat) { +-- +2.53.0 + diff -Nru libcdio-2.2.0/debian/patches/series libcdio-2.2.0/debian/patches/series --- libcdio-2.2.0/debian/patches/series 2025-04-03 05:13:22.000000000 +0200 +++ libcdio-2.2.0/debian/patches/series 2026-04-17 21:00:31.000000000 +0200 @@ -1,2 +1,3 @@ use-ncursesw.patch arm-t64-redirect-fix.patch +Fix-buffer-overrun-for-Joliet-filenames.patch
