Bug#742161: wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
mp3gain, an implementation of ReplayGain volume normalization, contains
a very old modified version of mpglib, an MPEG audio decoder maintained
as part of mpg123.
Gustavo Grieco reported a buffer overflow in this mpglib fork (#740268),
which he suspects can be exploited for arbitrary code execution if a
user runs mp3gain on crafted input. While researching the situation, I
found several old vulnerabilities in mpg123 which seem to be
applicable to mp3gain's copy (CVE-2003-0577, CVE-2004-0805,
CVE-2004-0991, CVE-2006-1655); the vulnerability that Gustavo found
appears to be one of those.
Some of those CVEs might not actually be exploitable in mp3gain - a
couple of them are specific to MPEG layer 2, which it refuses to analyze
anyway - but it seemed safer to patch them all.
The security team asked me to handle this as a stable update.
I have opened a serious bug against mp3gain (#742111) and removed it
from testing (#742112), because I don't think it should be in Debian 8.
Exploits which might be useful for testing, none of which appear to have
any effect on the patched mp3gain in a wheezy VM:
https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=PoC.mp3;att=1;bug=740268 (Gustavo's proof-of-concept)
http://www.exploit-db.com/exploits/1634/
http://www.exploit-db.com/exploits/22147/
A proposed debdiff is attached. I'll change wheezy-security to wheezy
for the stable upload - I prepared it before I got an answer from the security
team.
I haven't tested a squeeze update yet; I expect that it would look
remarkably similar. Let me know if you'd like me to prepare one of those.
Regards,
S
Reply to: