Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via or IRC
Bug 630954 - media-sound/mp3gain media-sound/aacgain: multiple vulnerabilities (CVE-2017-{14406,14407,14408,14409,14410,14411,14412})
Summary: media-sound/mp3gain media-sound/aacgain: multiple vulnerabilities (CVE-2017-{...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [noglsa cve]
Depends on: 643402 643404 643400
  Show dependency tree
Reported: 2017-09-14 07:56 UTC by Agostino Sarubbo
Modified: 2019-04-04 20:12 UTC (History)
9 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Comment 1 James Le Cuirot gentoo-dev 2018-03-18 13:31:30 UTC
I'm confused about this situation. We're not carrying the latest version of 1.6.2 (tagged but no tarball) which has fixes for other vulnerabilities like CVE-2017-12911. Maybe I'm looking in the wrong place but I can't see any evidence that upstream has been contacted about these. Or perhaps it was assumed that upstream is dead but the last commit was a month ago.
Comment 2 Joël 2018-03-19 17:21:49 UTC
Please kindly keep this package in portage, even if hardmasked.

It is extremely useful, and when using it on mp3 files that I encoded myself, there will be no security risk! Thanks in advance.
Comment 3 Andreas Grois 2018-03-21 07:45:14 UTC
It's rather strange for a dead project to have a new release and upload tarballs.
Please report the bugs to upstream instead of just removing the package, as other packages (including lame encoding support in abcde) depend on it.
Comment 4 Jérôme Borme 2018-03-23 10:19:30 UTC
Can these vulnerabilities be reproduced with the most recent version?

According to the reporter himself the vulnerabilities were not communicated to upstream (upstream appeared dead at the time). In 2018-01, new version 1.6.1 is out (tarball is on SF). It could be that this bug report was made obsolete y the new release. It could be also that the bug still happens with the new release, but now that upstream is responsive, they can be corrected very soon.
Comment 5 Andrew John Hughes 2018-04-19 18:12:23 UTC
"The fuzz was done via the aacgain command-line tool which uses mp3gain which bundles an old-modified version of mpg123 called mpglibDBL." [0]

 [aea832] (1.6.0, cli_1_6_0) by Glen Sawyer Glen Sawyer

Use libmpg123 instead of hacked version of mpglib

That alone suggests to me that the situation with 1.6.x is somewhat different to that given by this bug.

Comment 6 Andrew John Hughes 2018-04-19 20:30:02 UTC
Ebuild for 1.6.1:
Comment 7 Matt Whitlock 2018-04-20 02:05:39 UTC
(In reply to Andrew John Hughes from comment #6)
> Ebuild for 1.6.1:
> mp3gain

Does your mp3gain 1.6.1 work on AAC files as well?

It's really a shame that these essential tools for audiophiles have been neglected to the point of CVE vulnerabilities going unaddressed.
Comment 8 Pacho Ramos gentoo-dev 2018-04-21 14:35:01 UTC
[master ace29cb9d332] media-sound/mp3gain: Bump (#630954), fix CVE-2017-12911 (#635548)
 3 files changed, 112 insertions(+)
 create mode 100644 media-sound/mp3gain/files/mp3gain-1.6.1-CVE-2017-12911.patch
 create mode 100644 media-sound/mp3gain/mp3gain-1.6.1.ebuild
Comment 9 Pacho Ramos gentoo-dev 2018-04-29 17:24:12 UTC
media-sound/aacgain removed
Comment 10 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-04-30 15:15:51 UTC
no removal glsa then
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-30 16:01:33 UTC
(In reply to Mikle Kolyada from comment #10)
> no removal glsa then

mp3gain still needs tracked.
Comment 12 Erik Mackdanz gentoo-dev 2018-05-06 22:14:35 UTC
Really, the lame flag for abcde is fine if +replaygain isn't also specified.  Too bad portage doesn't support masking a flag conditionally if another flag was specified.

I've locally commented out the abcde mask in profiles/base/package.use.mask so I can continue using lame and without triggering any vulnerability.

If the future of the mp3gain package is in question, then the abcde maintainer should split the replaygain flag into mp3gain and vorbisgain.  In the current state abcde[lame] users are penalized for the non-maintenance of a package they may not using.