Several security issues in mp3gain have been announced: http://openwall.com/lists/oss-security/2017/09/14/1 http://openwall.com/lists/oss-security/2017/09/14/5 http://openwall.com/lists/oss-security/2017/09/14/4 http://openwall.com/lists/oss-security/2017/09/14/7 http://openwall.com/lists/oss-security/2017/09/14/3 http://openwall.com/lists/oss-security/2017/09/14/6 http://openwall.com/lists/oss-security/2017/09/14/8 The software appears to be dead. It was recommended to replace it with something called rgain, as mp3gain is unlikely to be fixed: http://openwall.com/lists/oss-security/2017/09/14/9 Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
No fixes, so no update for Mageia 5.
Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO
rgain is a python package (https://pypi.python.org/pypi/rgain). Since mp3gain is hard to fix and we move to rgain, this should be assigned to python maintainers.
CC: (none) => mageia
Status comment: (none) => Probably won't be fixed, package should be dropped/replaced
(In reply to Marc Krämer from comment #2) > rgain is a python package (https://pypi.python.org/pypi/rgain). > Since mp3gain is hard to fix and we move to rgain, this should be assigned > to python maintainers. Looks like rgain isn't getting any TLC either. https://bitbucket.org/fk/rgain/issues/26/wanted-new-maintainer Cheers, Stig
CC: (none) => smelror
Updated packages uploaded for cauldron and Mageia 6. Advisory: ======================== Updated mp3gain package fixes security vulnerabilities: A NULL pointer dereference was discovered in sync_buffer in interface.c in mpglibDBL, as used in MP3Gain version 1.5.2. The vulnerability causes a segmentation fault and application crash, which leads to remote denial of service (CVE-2017-14406). A stack-based buffer over-read was discovered in filterYule in gain_analysis.c in MP3Gain version 1.5.2. The vulnerability causes an application crash, which leads to remote denial of service (CVE-2017-14407). A stack-based buffer over-read was discovered in dct36 in layer3.c in mpglibDBL, as used in MP3Gain version 1.5.2. The vulnerability causes an application crash, which leads to remote denial of service (CVE-2017-14408). A buffer overflow was discovered in III_dequantize_sample in layer3.c in mpglibDBL, as used in MP3Gain version 1.5.2. The vulnerability causes an out-of-bounds write, which leads to remote denial of service or possibly code execution (CVE-2017-14409). A buffer over-read was discovered in III_i_stereo in layer3.c in mpglibDBL, as used in MP3Gain version 1.5.2. The vulnerability causes an application crash, which leads to remote denial of service (CVE-2017-14410). A stack-based buffer overflow was discovered in copy_mp in interface.c in mpglibDBL, as used in MP3Gain version 1.5.2. The vulnerability causes an out-of-bounds write, which leads to remote denial of service or possibly code execution (CVE-2017-14411). An invalid memory write was discovered in copy_mp in interface.c in mpglibDBL, as used in MP3Gain version 1.5.2. The vulnerability causes a denial of service (segmentation fault and application crash) or possibly unspecified other impact (CVE-2017-14412). Buffer overflow in the WriteMP3GainAPETag function in apetag.c in mp3gain through 1.5.2-r2 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact (CVE-2018-10777). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14406 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14407 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14408 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14409 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14410 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14411 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14412 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10777 https://sourceforge.net/p/mp3gain/bugs/40/ https://sourceforge.net/p/mp3gain/bugs/41/ https://sourceforge.net/p/mp3gain/bugs/43/ ======================== Updated packages in core/updates_testing: ======================== mp3gain-1.6.2-1.mga6 from mp3gain-1.6.2-1.mga6.src.rpm
Version: Cauldron => 6Assignee: pkg-bugs => qa-bugsStatus comment: Probably won't be fixed, package should be dropped/replaced => (none)CC: (none) => mramboWhiteboard: MGA6TOO => (none)
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Created two mp3 files from wav's using audacity. The wav's come from an old Philips audio cassette. At CLI $ mp3gain -x 01\ Welington\'s\ Sieg.mp3 01 Welington's Sieg.mp3 Recommended "Track" dB change: -0.650000 Recommended "Track" mp3 gain change: 0 WARNING: some clipping may occur with this gain change! Max PCM sample at current gain: 32819.066763 Max mp3 global gain field: 210 Min mp3 global gain field: 144 Recommended "Album" dB change for all files: -1.430000 Recommended "Album" mp3 gain change for all files: -1 and $ mp3gain -x 02\ Zapfenstreich.mp3 02 Zapfenstreich.mp3 Recommended "Track" dB change: -3.970000 Recommended "Track" mp3 gain change: -3 Max PCM sample at current gain: 32481.402828 Max mp3 global gain field: 210 Min mp3 global gain field: 147 Recommended "Album" dB change for all files: -1.430000 Recommended "Album" mp3 gain change for all files: -1 and $ mp3gain -r 01\ Welington\'s\ Sieg.mp3 02\ Zapfenstreich.mp3 01 Welington's Sieg.mp3 No changes to 01 Welington's Sieg.mp3 are necessary 02 Zapfenstreich.mp3 Applying mp3 gain change of -3 to 02 Zapfenstreich.mp3... Played mp3's again then, but could not really tell if there was a noticeable change. At least it didn't spoil anything.
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
For what it is worth I AM following up the PoCs for 64-bits. .
CC: (none) => tarazed25
In the light of what has been already said, e.g. http://openwall.com/lists/oss-security/2017/09/14/9, it does not look worthwhile to follow up the PoCs. Just repeating Herman's tests for 64-bits. Before update: $ mp3gain LaProcession.mp3 LaProcession.mp3 Recommended "Track" dB change: -4.060000 Recommended "Track" mp3 gain change: -3 Max PCM sample at current gain: 28658.739531 Max mp3 global gain field: 210 Min mp3 global gain field: 84 Recommended "Album" dB change for all files: -4.060000 Recommended "Album" mp3 gain change for all files: -3 Clean update. $ mp3gain -x LaProcession.mp3 LaProcession.mp3 Recommended "Track" dB change: -4.060000 Recommended "Track" mp3 gain change: -3 Max PCM sample at current gain: 28657.854365 Max mp3 global gain field: 210 Min mp3 global gain field: 84 Recommended "Album" dB change for all files: -4.060000 Recommended "Album" mp3 gain change for all files: -3 which is almost the same. $ mp3gain -r LaProcession.mp3 ElBarberilloDoLavaples.mp3 LaProcession.mp3 Applying mp3 gain change of -3 to LaProcession.mp3... ElBarberilloDoLavaples.mp3 Applying mp3 gain change of -1 to ElBarberilloDoLavaples.mp3... Played those two tracks in mplayer and they sounded fine. OK for 64-bits.
$ uname -a Linux localhost 4.14.56-desktop-1.mga6 #1 SMP Mon Jul 16 19:36:06 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux The following package is going to be installed: - mp3gain-1.6.2-1.mga6.x86_64 40KB of disk space will be freed. 51KB of packages will be retrieved. $ mp3gain -v mp3gain version 1.6.2 $ mp3gain begin.mp3 begin_louder.mp3 begin.mp3 Delaying a frame in decoding with old libmpg123. Recommended "Track" dB change: -2.580000 Recommended "Track" mp3 gain change: -2 Max PCM sample at current gain: 33657.394531 Max mp3 global gain field: 255 Min mp3 global gain field: 129 begin_louder.mp3 Can't open begin_louder.mp3 for reading Recommended "Album" dB change for all files: -2.580000 Recommended "Album" mp3 gain change for all files: -2 seemed to work and handled the error well Next I cranked up the mp3 a bunch $ mp3gain -g 7 begin.mp3 begin_louder.mp3 Applying gain change of 7 to begin.mp3... done Applying gain change of 7 to begin_louder.mp3... Can't open begin_louder.mp3 for modifying ---- Oh yeah that's much louder Working as designed.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OKCC: (none) => brtians1
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0326.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
This update also fixed CVE-2017-12911: https://lists.opensuse.org/opensuse-updates/2020-04/msg00085.html