Hello community, here is the log from the commit of package libcdio for openSUSE:Factory checked in at 2018-03-01 12:03:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libcdio (Old) and /work/SRC/openSUSE:Factory/.libcdio.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libcdio" Thu Mar 1 12:03:53 2018 rev:42 rq:580772 version:0.94 Changes: -------- --- /work/SRC/openSUSE:Factory/libcdio/libcdio.changes 2017-11-07 09:56:42.797100026 +0100 +++ /work/SRC/openSUSE:Factory/.libcdio.new/libcdio.changes 2018-03-01 12:03:54.986478877 +0100 @@ -1,0 +2,6 @@ +Tue Feb 27 17:09:35 CET 2018 - sbrabec@suse.com + +- Fix double free vulnerability (bsc#1082877, CVE-2017-18201, + CVE-2017-18201.patch). + +------------------------------------------------------------------- New: ---- CVE-2017-18201.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cdio-utils.spec ++++++ --- /var/tmp/diff_new_pack.bqP7sy/_old 2018-03-01 12:03:55.602456780 +0100 +++ /var/tmp/diff_new_pack.bqP7sy/_new 2018-03-01 12:03:55.606456637 +0100 @@ -1,7 +1,7 @@ # # spec file for package cdio-utils # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed ++++++ libcdio.spec ++++++ --- /var/tmp/diff_new_pack.bqP7sy/_old 2018-03-01 12:03:55.634455632 +0100 +++ /var/tmp/diff_new_pack.bqP7sy/_new 2018-03-01 12:03:55.638455488 +0100 @@ -1,7 +1,7 @@ # # spec file for package libcdio # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -31,6 +31,8 @@ Source3: baselibs.conf # PATCH-FIX-UPSTREAM 0001-Savannah-Bug-49907.patch https://savannah.gnu.org/bugs/index.php?49907 Patch0: 0001-Savannah-Bug-49907.patch +# PATCH-FIX-SECURITY CVE-2017-18201.patch bsc1082877 CVE-2017-18201 sbrabec@suse.com -- Fix double free vulnerability. +Patch1: CVE-2017-18201.patch BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: help2man @@ -110,6 +112,7 @@ %prep %setup -q %patch0 -p1 +%patch1 -p1 %define buildir ${PWD} ++++++ CVE-2017-18201.patch ++++++
From f6f9c48fb40b8a1e8218799724b0b61a7161eb1d Mon Sep 17 00:00:00 2001 From: "R. Bernstein"
Date: Fri, 22 Dec 2017 16:06:57 -0500 Subject: [PATCH] Fix double free courtesy of Chris Clayton
--- lib/driver/_cdio_generic.c | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/driver/_cdio_generic.c b/lib/driver/_cdio_generic.c index d40ac0d9..ae820d25 100644 --- a/lib/driver/_cdio_generic.c +++ b/lib/driver/_cdio_generic.c @@ -296,7 +296,6 @@ get_cdtext_generic (void *p_user_data) if(len <= 0 || 0 != cdtext_data_init (p_env->cdtext, &p_cdtext_data[4], len)) { p_env->b_cdtext_error = true; - cdtext_destroy (p_env->cdtext); free(p_env->cdtext); p_env->cdtext = NULL; } -- 2.16.2