Summary: | media-sound/mp3gain media-sound/aacgain: multiple vulnerabilities (CVE-2017-{14406,14407,14408,14409,14410,14411,14412}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | chain, chainsaw, chewi, drmccoy, gentoo-bugs, gentoo_bugs.nu_q5v, maintainer-needed, sound, world.root |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=635548 | ||
Whiteboard: | B2 [noglsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 643400, 643402, 643404 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2017-09-14 07:56:18 UTC
I'm confused about this situation. We're not carrying the latest version of 1.6.2 (tagged but no tarball) which has fixes for other vulnerabilities like CVE-2017-12911. Maybe I'm looking in the wrong place but I can't see any evidence that upstream has been contacted about these. Or perhaps it was assumed that upstream is dead but the last commit was a month ago. Please kindly keep this package in portage, even if hardmasked. It is extremely useful, and when using it on mp3 files that I encoded myself, there will be no security risk! Thanks in advance. It's rather strange for a dead project to have a new release and upload tarballs. Please report the bugs to upstream instead of just removing the package, as other packages (including lame encoding support in abcde) depend on it. Can these vulnerabilities be reproduced with the most recent version? According to the reporter himself the vulnerabilities were not communicated to upstream (upstream appeared dead at the time). In 2018-01, new version 1.6.1 is out (tarball is on SF). It could be that this bug report was made obsolete y the new release. It could be also that the bug still happens with the new release, but now that upstream is responsive, they can be corrected very soon. "The fuzz was done via the aacgain command-line tool which uses mp3gain which bundles an old-modified version of mpg123 called mpglibDBL." [0] [aea832] (1.6.0, cli_1_6_0) by Glen Sawyer Glen Sawyer Use libmpg123 instead of hacked version of mpglib https://sourceforge.net/p/mp3gain/code/ci/aea83203960fc6d3237b1ae38e8434ec8681b21a/ That alone suggests to me that the situation with 1.6.x is somewhat different to that given by this bug. [0] https://blogs.gentoo.org/ago/2017/09/08/mp3gain-global-buffer-overflow-in-iii_i_stereo-mpglibdbllayer3-c/ (In reply to Andrew John Hughes from comment #6) > Ebuild for 1.6.1: > https://github.com/gnu-andrew/gnu_andrew-overlay/tree/master/media-sound/ > mp3gain Does your mp3gain 1.6.1 work on AAC files as well? It's really a shame that these essential tools for audiophiles have been neglected to the point of CVE vulnerabilities going unaddressed. [master ace29cb9d332] media-sound/mp3gain: Bump (#630954), fix CVE-2017-12911 (#635548) 3 files changed, 112 insertions(+) create mode 100644 media-sound/mp3gain/files/mp3gain-1.6.1-CVE-2017-12911.patch create mode 100644 media-sound/mp3gain/mp3gain-1.6.1.ebuild media-sound/aacgain removed no removal glsa then (In reply to Mikle Kolyada from comment #10) > no removal glsa then mp3gain still needs tracked. Really, the lame flag for abcde is fine if +replaygain isn't also specified. Too bad portage doesn't support masking a flag conditionally if another flag was specified. I've locally commented out the abcde mask in profiles/base/package.use.mask so I can continue using lame and without triggering any vulnerability. If the future of the mp3gain package is in question, then the abcde maintainer should split the replaygain flag into mp3gain and vorbisgain. In the current state abcde[lame] users are penalized for the non-maintenance of a package they may not using. |