In https://security-tracker.debian.org/tracker/CVE-2017-18201 it claims 0.83 is vulnerable, but I don't believe that this the case.
I think that bug was introduced in version 0.92. There was a major change in 0.90 as to how CD-TEXT was handle (and in 0.90 there was memory that was not freed rather than double freed which started I think in 0.92). So I don't believe 0.83 should be marked as vulnerable. On Tue, Feb 27, 2018 at 10:49 AM, Salvatore Bonaccorso <car...@debian.org> wrote: > Source: libcdio > Version: 1.0.0-1 > Severity: important > Tags: security upstream > Control: fixed -1 2.0.0-1 > > Hi, > > the following vulnerability was published for libcdio. > > CVE-2017-18201[0]: > | An issue was discovered in GNU libcdio before 2.0.0. There is a double > | free in get_cdtext_generic() in lib/driver/_cdio_generic.c. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2017-18201 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18201 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore > >
