Re: lame: multiple vulnerabilities

["Dr. Thomas Orgis" <thomas.orgis () uni-hamburg de>]

Am Wed, 28 Jun 2017 14:03:16 +0200
schrieb Agostino Sarubbo <ago () gentoo org>:

> I discovered some crashes (which will follow one-by-one) in lame.

A number of these occur inside the mpglib part, which is an old fork of
the mpg123 decoder (extended with some LAME specifics). Can you check
if they also occur in current mpg123 / libmpg123 (https://mpg123.org)?

As mpg123 upstream, I've got that long-term plan without much actual
real-world time to spend on it to finally replace those old forks of
the precursor to libmpg123. A number of vulnerabilities in lame's
mpglib might be a good trigger to finally consolidate this.

In any case, knowing if these crashes apply to mpg123/libmpg123 would
be very valuable for me. 

Oh, and lame upstream is not exactly dead, just very silent. Apart from
these vulnerabilities, the program is quite complete in its
functionality. There is still a the lame-dev () lists sourceforge net
mailing list with a post from time to time. At least developers are
subscribed.


Alrighty then,

Thomas (mpg123 maintainer)

-- 
Dr. Thomas Orgis
Universität Hamburg

Attachment: smime.p7s
Description: