Your message dated Wed, 19 Mar 2014 11:33:03 +0100 with message-id <20140319103303.GA12516@mraw.org> and subject line Re: Bug#742112: RM: mp3gain/1.5.2-r2-5 has caused the Debian Bug report #742112, regarding RM: mp3gain/1.5.2-r2-5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 742112: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742112 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: RM: mp3gain/1.5.2-r2-5
- From: Simon McVittie <smcv@debian.org>
- Date: Wed, 19 Mar 2014 10:24:29 +0000
- Message-id: <[🔎] 20140319102429.GA31806@reptile.pseudorandom.co.uk>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: rm As described in the 'serious' bug I just filed against it, mp3gain contains a 10ish-year-old embedded code copy of mpglib (originating from src:mpg123, I think) with known buffer overflows (including 'grave' bug #740268). I've just uploaded 1.5.2-r2-6 to fix the known buffer overflows, but the coding style is such that there are probably more exploitable overflows that we don't know about, so I don't think it should be in jessie. I might ask the ftp-masters to remove it from unstable at some point, but for the moment I think it'll be easier to do stable updates if it still exists in unstable, so I'm only asking for testing removal right now. Thanks, S
--- End Message ---
--- Begin Message ---
- To: Simon McVittie <smcv@debian.org>, 742112-done@bugs.debian.org
- Subject: Re: Bug#742112: RM: mp3gain/1.5.2-r2-5
- From: Cyril Brulebois <kibi@debian.org>
- Date: Wed, 19 Mar 2014 11:33:03 +0100
- Message-id: <20140319103303.GA12516@mraw.org>
- In-reply-to: <[🔎] 20140319102429.GA31806@reptile.pseudorandom.co.uk>
- References: <[🔎] 20140319102429.GA31806@reptile.pseudorandom.co.uk>
Simon McVittie <smcv@debian.org> (2014-03-19): > Package: release.debian.org > Severity: normal > User: release.debian.org@packages.debian.org > Usertags: rm > > As described in the 'serious' bug I just filed against it, mp3gain > contains a 10ish-year-old embedded code copy of mpglib (originating from > src:mpg123, I think) with known buffer overflows (including 'grave' bug > #740268). > > I've just uploaded 1.5.2-r2-6 to fix the known buffer overflows, but > the coding style is such that there are probably more exploitable overflows > that we don't know about, so I don't think it should be in jessie. The following should do: kibi@franck:~$ head -4 hints/kibi # 2014-03-19 # RoM: #742112 remove mp3gain/1.5.2-r2-5 block mp3gain Thanks for your report, closing accordingly. Mraw, KiBi.Attachment: signature.asc
Description: Digital signature
--- End Message ---