|
Message-ID: <4196795.4HvRXNqvRy@wanheda> Date: Thu, 14 Sep 2017 09:51:36 +0200 From: Agostino Sarubbo <ago@...too.org> To: oss-security@...ts.openwall.com Cc: Simon McVittie <smcv@...ian.org> Subject: Re: mp3gain: NULL pointer dereference in sync_buffer (mpglibDBL/interface.c) On giovedì 14 settembre 2017 09:24:45 CEST Simon McVittie wrote: > On Thu, 14 Sep 2017 at 07:00:25 +0000, Agostino Sarubbo wrote: > > The fuzz was done via the aacgain command-line tool which uses mp3gain > > which bundles an old-modified version of mpg123 called mpglibDBL. > > I wouldn't recommend putting effort into fuzzing mp3gain. mpglibDBL > is known to have security vulnerabilities anyway: > https://security-tracker.debian.org/tracker/source-package/mp3gain > (I wonder whether you've rediscovered those, or found new vulnerabilities?) > > It probably also suffers from most other historical vulnerabilities > that are listed for mpg123. We removed it from Debian in 2014, > with a recommendation to use the rgain Python package instead: > https://tracker.debian.org/pkg/rgain > > rgain uses libmad or ffmpeg via GStreamer for decoding, so it isn't > exactly bug-free either; but those libraries are actively maintained, > and when they have vulnerabilities, they'd need to be fixed anyway for > the benefit of other packages. > > Regards, > smcv I didn't investigate to the mpg123 bugs, I searched for mp3gain into the CVE database. Anwyay I agree with you that is time to drop the packages. -- Agostino Sarubbo Gentoo Linux Developer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.