Bug#742112: RM: mp3gain/1.5.2-r2-5

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#742112: RM: mp3gain/1.5.2-r2-5
From: Simon McVittie <smcv@debian.org>
Date: Wed, 19 Mar 2014 10:24:29 +0000
Message-id: <[🔎] 20140319102429.GA31806@reptile.pseudorandom.co.uk>
Reply-to: Simon McVittie <smcv@debian.org>, 742112@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: rm

As described in the 'serious' bug I just filed against it, mp3gain
contains a 10ish-year-old embedded code copy of mpglib (originating from
src:mpg123, I think) with known buffer overflows (including 'grave' bug
#740268).

I've just uploaded 1.5.2-r2-6 to fix the known buffer overflows, but
the coding style is such that there are probably more exploitable overflows
that we don't know about, so I don't think it should be in jessie.

I might ask the ftp-masters to remove it from unstable at some
point, but for the moment I think it'll be easier to do
stable updates if it still exists in unstable, so I'm only
asking for testing removal right now.

Thanks,
    S

Reply to:

Follow-Ups:
- Bug#742112: marked as done (RM: mp3gain/1.5.2-r2-5)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#742112: marked as done (RM: mp3gain/1.5.2-r2-5)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Processed: tagging 732219
Next by Date: Bug#742112: marked as done (RM: mp3gain/1.5.2-r2-5)
Previous by thread: Processed: block 740993 with 742087 742090
Next by thread: Bug#742112: marked as done (RM: mp3gain/1.5.2-r2-5)
Index(es):
- Date
- Thread