CVEs have been assigned for two security issues in mp3splt: http://openwall.com/lists/oss-security/2017/01/31/7 http://openwall.com/lists/oss-security/2017/01/31/8 As far as I know, no fixes are available yet. Mageia 5 may also be affected.
Whiteboard: (none) => MGA5TOO
One more issue: http://openwall.com/lists/oss-security/2017/02/01/3
(In reply to David Walser from comment #1) > One more issue: > http://openwall.com/lists/oss-security/2017/02/01/3 CVE-2017-5851: http://openwall.com/lists/oss-security/2017/02/02/8
Summary: mp3splt new security issues CVE-2017-566[56] => mp3splt new security issues CVE-2017-566[56] and CVE-2017-5851
CVE: (none) => CVE-2017-5665 CVE-2017-5666 CVE-2017-5851CC: (none) => mageia
Had a quick look, as of today nobody seems to have cared enough to produce patches for those issues. Upstream bug report: https://sourceforge.net/p/mp3splt/bugs/209/ Like Jonas Meurer commented there, some of the PoCs seem not to trigger the issue in our version: * [GOOD] https://blogs.gentoo.org/ago/2017/01/29/mp3splt-null-pointer-dereference-in-main-mp3splt-c/ mp3splt -P -f -t 0.1 -a 00128-mp3splt-nullptr-main mp3splt 2.6.2 (09/11/14) - using libmp3splt 0.9.2 Matteo Trotta <mtrotta AT users.sourceforge.net> Alexandru Munteanu <m AT ioalex.net> THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK! Pretending to split file '00128-mp3splt-nullptr-main' ... error: no plugin matches the file '00128-mp3splt-nullptr-main' * [BAD] https://blogs.gentoo.org/ago/2017/01/29/mp3splt-null-pointer-dereference-in-splt_cue_export_to_file-cue-c/ $ mp3splt -P -f -t 0.1 -a 00129-mp3splt-nullptr-splt_cue_export_to_file mp3splt 2.6.2 (09/11/14) - using libmp3splt 0.9.2 Matteo Trotta <mtrotta AT users.sourceforge.net> Alexandru Munteanu <m AT ioalex.net> THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK! Pretending to split file '00129-mp3splt-nullptr-splt_cue_export_to_file' ... mp3splt: layer3.c:2633: mad_layer_III: Assertion `stream->md_len + md_len - si.main_data_begin <= (511 + 2048 + 8)' failed. Abandon (core dumped) * [BAD] https://blogs.gentoo.org/ago/2017/01/29/mp3splt-invalid-free-in-free_options-options_manager-c/ $ mp3splt -P -f -t 0.1 -a ~/00130-mp3splt-badfree-free_options mp3splt 2.6.2 (09/11/14) - using libmp3splt 0.9.2 Matteo Trotta <mtrotta AT users.sourceforge.net> Alexandru Munteanu <m AT ioalex.net> THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK! Pretending to split file '/home/akien/Téléchargements/00130-mp3splt-badfree-free_options' ... mp3splt: layer3.c:2633: mad_layer_III: Assertion `stream->md_len + md_len - si.main_data_begin <= (511 + 2048 + 8)' failed. Abandon (core dumped)
Status comment: (none) => No upstream or downstream patches available as of early June 2017
It's a leaf package so we could possibly consider dropping it for Mageia 6 if those security issues don't get fixed. At the same time, those security issues seem pretty minor to me, and I don't think we put our users too much at risk by keeping the package unpatched for now.
Dropped from Mageia 6.
Whiteboard: MGA5TOO => (none)Version: Cauldron => 5
Security issues do seem minor, and this appears to have gone nowhere upstream.
Resolution: (none) => OLDStatus: NEW => RESOLVED