Date: Thu, 14 Sep 2017 08:24:45 +0100 From: Simon McVittie <smcv@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: mp3gain: NULL pointer dereference in sync_buffer (mpglibDBL/interface.c) On Thu, 14 Sep 2017 at 07:00:25 +0000, Agostino Sarubbo wrote: > The fuzz was done via the aacgain command-line tool which uses mp3gain > which bundles an old-modified version of mpg123 called mpglibDBL. I wouldn't recommend putting effort into fuzzing mp3gain. mpglibDBL is known to have security vulnerabilities anyway: https://security-tracker.debian.org/tracker/source-package/mp3gain (I wonder whether you've rediscovered those, or found new vulnerabilities?) It probably also suffers from most other historical vulnerabilities that are listed for mpg123. We removed it from Debian in 2014, with a recommendation to use the rgain Python package instead: https://tracker.debian.org/pkg/rgain rgain uses libmad or ffmpeg via GStreamer for decoding, so it isn't exactly bug-free either; but those libraries are actively maintained, and when they have vulnerabilities, they'd need to be fixed anyway for the benefit of other packages. Regards, smcv
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ