Re: mp3gain: NULL pointer dereference in sync_buffer (mpglibDBL/interface.c)

[Agostino Sarubbo <ago () gentoo org>]

On giovedì 14 settembre 2017 09:24:45 CEST Simon McVittie wrote:
> On Thu, 14 Sep 2017 at 07:00:25 +0000, Agostino Sarubbo wrote:
> > The fuzz was done via the aacgain command-line tool which uses mp3gain
> > which bundles an old-modified version of mpg123 called mpglibDBL.
>
> I wouldn't recommend putting effort into fuzzing mp3gain. mpglibDBL
> is known to have security vulnerabilities anyway:
> https://security-tracker.debian.org/tracker/source-package/mp3gain
> (I wonder whether you've rediscovered those, or found new vulnerabilities?)
>
> It probably also suffers from most other historical vulnerabilities
> that are listed for mpg123. We removed it from Debian in 2014,
> with a recommendation to use the rgain Python package instead:
> https://tracker.debian.org/pkg/rgain
>
> rgain uses libmad or ffmpeg via GStreamer for decoding, so it isn't
> exactly bug-free either; but those libraries are actively maintained,
> and when they have vulnerabilities, they'd need to be fixed anyway for
> the benefit of other packages.
>
> Regards,
>     smcv
I didn't investigate to the mpg123 bugs, I searched for mp3gain into the CVE 
database.
Anwyay I agree with you that is time to drop the packages.

-- 
Agostino Sarubbo
Gentoo Linux Developer