Bug#742112: marked as done (RM: mp3gain/1.5.2-r2-5)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Wed, 19 Mar 2014 11:33:03 +0100
with message-id <20140319103303.GA12516@mraw.org>
and subject line Re: Bug#742112: RM: mp3gain/1.5.2-r2-5
has caused the Debian Bug report #742112,
regarding RM: mp3gain/1.5.2-r2-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
742112: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742112
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: RM: mp3gain/1.5.2-r2-5
• From: Simon McVittie <smcv@debian.org>
• Date: Wed, 19 Mar 2014 10:24:29 +0000
• Message-id: <[🔎] 20140319102429.GA31806@reptile.pseudorandom.co.uk>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: rm

As described in the 'serious' bug I just filed against it, mp3gain
contains a 10ish-year-old embedded code copy of mpglib (originating from
src:mpg123, I think) with known buffer overflows (including 'grave' bug
#740268).

I've just uploaded 1.5.2-r2-6 to fix the known buffer overflows, but
the coding style is such that there are probably more exploitable overflows
that we don't know about, so I don't think it should be in jessie.

I might ask the ftp-masters to remove it from unstable at some
point, but for the moment I think it'll be easier to do
stable updates if it still exists in unstable, so I'm only
asking for testing removal right now.

Thanks,
    S

--- End Message ---

--- Begin Message ---

• To: Simon McVittie <smcv@debian.org>, 742112-done@bugs.debian.org
• Subject: Re: Bug#742112: RM: mp3gain/1.5.2-r2-5
• From: Cyril Brulebois <kibi@debian.org>
• Date: Wed, 19 Mar 2014 11:33:03 +0100
• Message-id: <20140319103303.GA12516@mraw.org>
• In-reply-to: <[🔎] 20140319102429.GA31806@reptile.pseudorandom.co.uk>
• References: <[🔎] 20140319102429.GA31806@reptile.pseudorandom.co.uk>

Simon McVittie <smcv@debian.org> (2014-03-19):
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: rm
> 
> As described in the 'serious' bug I just filed against it, mp3gain
> contains a 10ish-year-old embedded code copy of mpglib (originating from
> src:mpg123, I think) with known buffer overflows (including 'grave' bug
> #740268).
> 
> I've just uploaded 1.5.2-r2-6 to fix the known buffer overflows, but
> the coding style is such that there are probably more exploitable overflows
> that we don't know about, so I don't think it should be in jessie.

The following should do:

  kibi@franck:~$ head -4 hints/kibi
  # 2014-03-19
  # RoM: #742112
  remove mp3gain/1.5.2-r2-5
  block mp3gain

Thanks for your report, closing accordingly.

Mraw,
KiBi.

Attachment: signature.asc
Description: Digital signature

--- End Message ---