Bug#742112: marked as done (RM: mp3gain/1.5.2-r2-5)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sun, 30 Mar 2014 22:36:16 +0200
with message-id <53388040.4030902@thykier.net>
and subject line Re: Bug#742112: RM: mp3gain/1.5.2-r2-5
has caused the Debian Bug report #742112,
regarding RM: mp3gain/1.5.2-r2-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
742112: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742112
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: RM: mp3gain/1.5.2-r2-5
• From: Simon McVittie <smcv@debian.org>
• Date: Wed, 19 Mar 2014 10:24:29 +0000
• Message-id: <[🔎] 20140319102429.GA31806@reptile.pseudorandom.co.uk>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: rm

As described in the 'serious' bug I just filed against it, mp3gain
contains a 10ish-year-old embedded code copy of mpglib (originating from
src:mpg123, I think) with known buffer overflows (including 'grave' bug
#740268).

I've just uploaded 1.5.2-r2-6 to fix the known buffer overflows, but
the coding style is such that there are probably more exploitable overflows
that we don't know about, so I don't think it should be in jessie.

I might ask the ftp-masters to remove it from unstable at some
point, but for the moment I think it'll be easier to do
stable updates if it still exists in unstable, so I'm only
asking for testing removal right now.

Thanks,
    S

--- End Message ---

--- Begin Message ---

• To: Simon McVittie <smcv@debian.org>, 742112-done@bugs.debian.org
• Cc: easymp3gain@packages.debian.org
• Subject: Re: Bug#742112: RM: mp3gain/1.5.2-r2-5
• From: Niels Thykier <niels@thykier.net>
• Date: Sun, 30 Mar 2014 22:36:16 +0200
• Message-id: <53388040.4030902@thykier.net>
• In-reply-to: <[🔎] 20140321092608.GA4811@reptile.pseudorandom.co.uk>
• References: <20140319103303.GA12516@mraw.org> <[🔎] 20140319102429.GA31806@reptile.pseudorandom.co.uk> <handler.742112.D742112.139522518620226.notifdone@bugs.debian.org> <[🔎] 20140321092608.GA4811@reptile.pseudorandom.co.uk>

On 2014-03-21 10:26, Simon McVittie wrote:
> reopen 742112
> thanks
> 
> Cyril Brulebois wrote:
>> The following should do:
>>
>>   kibi@franck:~$ head -4 hints/kibi
>>   # 2014-03-19
>>   # RoM: #742112
>>   remove mp3gain/1.5.2-r2-5
>>   block mp3gain
> 
> Unfortunately, I hadn't spotted that it isn't a leaf package - easymp3gain
> depends on it.
> 
> I see two possibilities:
> 
> * remove easymp3gain (which has a FTBFS bug anyway)
> * unblock mp3gain so -6 can migrate, fixing at least the known
>   vulnerabilities in testing, then try to do the removal later
> 
> I've opened a bug against easymp3gain asking for it to use python-rgain
> or something (it already supports vorbisgain, which has a different
> command-line syntax, so that's not as crazy as it might sound).
> 
>     S
> 
> 

Hi Simon,

We have added a removal hint for easymp3gain as well (with the
maintainer CC'ed).

Dear easymp3gain maintainer(s), the maintainers of mp3gain has concluded
that it is currently unsuitable for Jessie and has asked us to remove
the package (see #742112 and #742111).  Your package having a strict
dependency on mp3gain will therefore be removed as well.

~Niels

--- End Message ---