Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4196795.4HvRXNqvRy@wanheda>
Date: Thu, 14 Sep 2017 09:51:36 +0200
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Cc: Simon McVittie <smcv@...ian.org>
Subject: Re: mp3gain: NULL pointer dereference in sync_buffer (mpglibDBL/interface.c)

On giovedì 14 settembre 2017 09:24:45 CEST Simon McVittie wrote:
> On Thu, 14 Sep 2017 at 07:00:25 +0000, Agostino Sarubbo wrote:
> > The fuzz was done via the aacgain command-line tool which uses mp3gain
> > which bundles an old-modified version of mpg123 called mpglibDBL.
> 
> I wouldn't recommend putting effort into fuzzing mp3gain. mpglibDBL
> is known to have security vulnerabilities anyway:
> https://security-tracker.debian.org/tracker/source-package/mp3gain
> (I wonder whether you've rediscovered those, or found new vulnerabilities?)
> 
> It probably also suffers from most other historical vulnerabilities
> that are listed for mpg123. We removed it from Debian in 2014,
> with a recommendation to use the rgain Python package instead:
> https://tracker.debian.org/pkg/rgain
> 
> rgain uses libmad or ffmpeg via GStreamer for decoding, so it isn't
> exactly bug-free either; but those libraries are actively maintained,
> and when they have vulnerabilities, they'd need to be fixed anyway for
> the benefit of other packages.
> 
> Regards,
>     smcv
I didn't investigate to the mpg123 bugs, I searched for mp3gain into the CVE 
database.
Anwyay I agree with you that is time to drop the packages.

-- 
Agostino Sarubbo
Gentoo Linux Developer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.