Stack-based buffer overflow in the print_iso9660_recurse function in iso-info (src/iso-info.c) in GNU Compact Disc Input and Control Library (libcdio) 0.79 and earlier allows context-dependent attackers to cause a denial of service (core dump) and possibly execute arbitrary code via a disk or image that contains a long joilet file name.
The GNU Compact Disc Input and Control Library ('libcdio') is prone to multiple buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data. The issues occur when the 'cd-info' and 'iso-info' programs handle specially crafted ISO files.Successfully exploiting these issues may allow remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts likely result in denial-of-service conditions.The issues affect libcdio 0.79; other versions may also be affected.
A patch is available from Gentoo bugzilla. Please see the references for more information. GNU libcdio 0.79 GNU libcdio-buffer-offbyone.patch http://bugs.gentoo.org/attachment.cgi?id=140011
The following proof of concept is available:Steps to Reproduce: 1. mkdir -p tmp/dir1 2. echo file_with_really_really_long_silly_name_to_test_iso_info_buffer 3. mkisofs -J -R -volid My_Image -o test.iso tmp 4. iso-info -l test.iso