Debian Bug report logs -
#973932
mp3gain: CVE-2018-10777, CVE-2019-18359: Crashes with fuzzing PoC
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Scott Hardin <scottnhardin@gmail.com>
:
Bug#973932
; Package mp3gain
.
(Sat, 07 Nov 2020 19:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Stefan Fritsch <sf@sfritsch.de>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Scott Hardin <scottnhardin@gmail.com>
.
(Sat, 07 Nov 2020 19:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: mp3gain
Version: 1.6.2-1+b1
Severity: important
Tags: security, patch
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
mp3gain 1.6.2 still crashes with AdressSanitizer errors on the PoCs
mp3gain_poc1
mp3gain_poc2
mp3gain_poc5
mp3gain_CVE-2018-10777
from https://github.com/zjuchenyuan/fuzzpoc.git
SuSe claims to have fixed them with this patch:
https://build.opensuse.org/package/view_file/openSUSE:Maintenance:12304/mp3gain.openSUSE_Leap_15.1_Update/0001-fix-security-bugs.patch?rev=0db47562b2545871d0be3fc88083e0cd
Debian builds mp3gain with asan on amd64 i386 armel armhf powerpc. This
means the other architectures are still vulnerable.
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Nov 16 10:07:36 2020;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.