CVE-2019-15540

Vulnerability

The CSO filter in libMirage version 3.2.2, located in filters/filter-cso/filter-stream.c, does not validate the part size field in a CISO (compressed ISO) image header. A crafted image can specify a part size larger than the declared block size, causing the inflate call to decompress data into an undersized heap buffer, triggering a heap-based buffer overflow [1][2]. The fix was committed as [0e9292] on 2019-08-25 [3].

Exploitation

An attacker with local user access can supply a malicious CISO image file to CDemu. The image header is parsed, and when the filter processes a compressed part, the oversized part size causes an out-of-bounds heap write during decompression. The provided proof-of-concept file causes a double free or corruption (!prev) abort, indicating exploitation of the heap metadata [1][2]. No special privileges beyond local user access are required.

Impact

Successful exploitation allows the attacker to corrupt heap memory, potentially leading to arbitrary code execution in the context of the CDemu process. Since CDemu often runs as root (to mount virtual drives), this can result in full root privilege escalation [1].

Mitigation

The vulnerability is fixed in libMirage 3.2.3 (or any version including commit [0e9292]) [3]. Users should update their libMirage package to the latest version available from the CDemu project. No workarounds are documented; the fix validates that the part size is either less than the block size (compressed) or equal to it (raw), rejecting malformed images.