Security update for libcdio

Announcement ID:	SUSE-SU-2020:14498-1
Rating:	low
References:	bsc#1082821
Cross-References:	CVE-2017-18199
CVSS scores:	CVE-2017-18199 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2017-18199 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Point of Service 11 SP3

An update that solves one vulnerability can now be installed.

Description:

This update for libcdio and libcdio-mini fixes the following issues:

Security issue fixed:

• CVE-2017-18199: Fixed a NULL Pointer Dereference in realloc_symlink which could allow remote attackers to cause Denial of Service (bsc#1082821).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Point of Service 11 SP3
  zypper in -t patch sleposp3-libcdio-14498=1

Package List:

• SUSE Linux Enterprise Point of Service 11 SP3 (i586)
  • libcdio_cdda0-0.80-8.3.5
  • libcdio7-0.80-8.3.5
  • libcdio_paranoia0-0.80-8.3.5

References:

• https://www.suse.com/security/cve/CVE-2017-18199.html
• https://bugzilla.suse.com/show_bug.cgi?id=1082821