Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close


Published: 24 February 2018

realloc_symlink in rock.c in GNU libcdio before 1.0.0 allows remote attackers to cause a denial of service (NULL Pointer Dereference) via a crafted iso file.


there is no explicit information mentioning what is the
patch for this CVE, but it looks like it might have been
fixed together with other issues in commit b9ab2a9d36a,
according to the comment in the NEWS file. This is the commit
that patches CVE-2017-18198. No other changes made to the
to the code seem to be related to this vulnerability other
than e73a8bb23a4, which looks like an initial version of
something improved by commit b9ab2a9d36a. Commit e73a8bb23a4
fixes issue 52091 which is very similar to the issue that is
CVE-2017-18198. CVE-2017-18199 involves code that is closely
related to the code that is affected by CVE-2017-18198, and
further research indicates that the POC for this latter CVE
no longer causes a crash when commit e73a8bb23a4 is applied,
so it is adequate to assume that it fixes CVE-2017-18199 and
that commit b9ab2a9d36a, the improved version of e73a8bb23a4,
does so as well.



Cvss 3 Severity Score


Score breakdown


Package Release Status
Launchpad, Ubuntu, Debian
artful Ignored
(end of life)
bionic Not vulnerable
cosmic Not vulnerable
disco Not vulnerable
eoan Not vulnerable
focal Not vulnerable
groovy Not vulnerable
hirsute Not vulnerable
impish Not vulnerable
jammy Not vulnerable
kinetic Not vulnerable
Released (0.83-4.1ubuntu1+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
Released (1.0.0, 1.0.0-1)
Released (0.83-4.2ubuntu1+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)

Severity score breakdown

Parameter Value
Base score 6.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H