CVE-2024-36600: 
Linux Ubuntu vulnerability analysis and mitigation

A Buffer Overflow vulnerability was identified in libcdio v2.1.0, tracked as CVE-2024-36600. The vulnerability allows attackers to execute arbitrary code through a specially crafted ISO 9660 image file. The issue was discovered in May 2024 by Mansour Gashasbi and affects the GNU Compact Disc Input and Control library (libcdio), which provides functionality for CD-ROM and CD image access (GitHub Report).

The vulnerability stems from improper buffer allocation for UTF-8 filename strings. The buffer is allocated with the same length as the UCS-2 string, but this becomes problematic when handling glyphs that use 3 or 4-byte UTF-8 sequences. Since a single character in the filename may require multiple bytes in UTF-8 representation, the total bytes needed could exceed the allocated buffer size, even when the character count matches the UCS-2 string length. The vulnerability was introduced in the development version after commit 4c840665 (GitHub Report).

Successful exploitation of this vulnerability could allow attackers to execute arbitrary code on the affected system through a specially crafted ISO 9660 image file (NVD).

Several Linux distributions have released fixes for this vulnerability. Debian has addressed the issue across multiple releases: bullseye (2.1.0-2), bookworm (2.1.0-4), trixie (2.1.0-5), and sid (2.2.0-1). Ubuntu has also released security updates through USN-6855-1 (Debian Tracker, Rapid7).