Package: mp3gain Version: 1.6.2-1+b1 Severity: important Tags: security, patch X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
mp3gain 1.6.2 still crashes with AdressSanitizer errors on the PoCs mp3gain_poc1 mp3gain_poc2 mp3gain_poc5 mp3gain_CVE-2018-10777 from https://github.com/zjuchenyuan/fuzzpoc.git SuSe claims to have fixed them with this patch: https://build.opensuse.org/package/view_file/openSUSE:Maintenance:12304/mp3gain.openSUSE_Leap_15.1_Update/0001-fix-security-bugs.patch?rev=0db47562b2545871d0be3fc88083e0cd Debian builds mp3gain with asan on amd64 i386 armel armhf powerpc. This means the other architectures are still vulnerable.