Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 14 Sep 2017 13:12:20 +0200
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Cc: "Dr. Thomas Orgis" <thomas.orgis@...-hamburg.de>
Subject: Re: mp3gain: NULL pointer dereference in sync_buffer (mpglibDBL/interface.c)

On giovedì 14 settembre 2017 11:51:42 CEST Dr. Thomas Orgis wrote:
> I disagree. I am considering cleaning up mp3gain and omitting nearly
> all of the vulnerabilities by removing the decoder fork. Reason: rgain
> does not do what mp3gain did. Mp3gain can directly modify the MPEG
> frames so that the gain is changed also for decoders that do not
> support the added metadata (it additionally stores metadata to be able
> to revert the changes).
> 
> While I am not regularily using this myself, I do think that it's a
> nifty hack that should not disappear. Maybe it can re-enter distros if
> it does not rely on an outdated internal decoder …
> 
> This is becoming a bit off-topic … but I just wanted to note that the
> bug reports do serve a purpose in alerting me to that other copy of
> mpg123 code in the wild.
> 
> 
> Alrighty then,
> 
> Thomas

Hello Thomas,

the suggestion of removal was because of the dead status of the upstream 
project.
If there will be people that fix the issues, will be great.

Feel free to update this thread when you have news about.

-- 
Agostino Sarubbo
Gentoo Linux Developer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.