Source: ming Version: 1:0.4.4-1.1 Severity: important Tags: security upstream
Hi, the following vulnerabilities were published for ming. The issues cannot be seen directly with the given reproducers apparently since covered by other issues. But according to Agostine SArubbo they are found in 0.4.7 and there were no changes from 0.4.5 to 0.4.7 in listmp3.c. CVE-2016-9264[0]: global-buffer-overflow in printMP3Headers (listmp3.c) CVE-2016-9265[1]: divide-by-zero in printMP3Headers (listmp3.c) CVE-2016-9266[2]: left shift in listmp3.c If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-9264 [1] https://security-tracker.debian.org/tracker/CVE-2016-9265 [2] https://security-tracker.debian.org/tracker/CVE-2016-9266 Btw, should ming be rather be removed completely from Debian? It is currently not in testing, and will not be in stretch. Regards, Salvatore