Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 14 Sep 2017 08:24:45 +0100
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: mp3gain: NULL pointer dereference in sync_buffer
 (mpglibDBL/interface.c)

On Thu, 14 Sep 2017 at 07:00:25 +0000, Agostino Sarubbo wrote:
> The fuzz was done via the aacgain command-line tool which uses mp3gain
> which bundles an old-modified version of mpg123 called mpglibDBL.

I wouldn't recommend putting effort into fuzzing mp3gain. mpglibDBL
is known to have security vulnerabilities anyway:
https://security-tracker.debian.org/tracker/source-package/mp3gain
(I wonder whether you've rediscovered those, or found new vulnerabilities?)

It probably also suffers from most other historical vulnerabilities
that are listed for mpg123. We removed it from Debian in 2014,
with a recommendation to use the rgain Python package instead:
https://tracker.debian.org/pkg/rgain

rgain uses libmad or ffmpeg via GStreamer for decoding, so it isn't
exactly bug-free either; but those libraries are actively maintained,
and when they have vulnerabilities, they'd need to be fixed anyway for
the benefit of other packages.

Regards,
    smcv

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.