Am 16.11.20 um 09:44 schrieb Salvatore Bonaccorso:
On Mon, Nov 16, 2020 at 04:14:30AM +0100, Adam Borowski wrote:
Package: mp3gain
Version: 1.6.2-1+b1
Severity: important
Trying to run mp3gain results in:
==23813==ASan runtime does not come first in initial library list;
you should either link runtime to your application or manually
preload it with LD_PRELOAD.
Interestingly, I don't get this message. Same version, also amd64. But I
saw that message when running mp3gain under valgrind without the LD_PRELOAD.
And indeed, invoking it as:
LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libasan.so.6 mp3gain -p -a *mp3
does the trick.
It looks that back in 2014 this was added to mitigate the stack
buffer overflows from #740268.
But as far I understand, compiling with ASAN was not recommended to be
in general used as hardening measure, there were reports back in 2016
as
https://blog.hboeck.de/archives/879-Safer-use-of-C-code-running-Gentoo-with-Address-Sanitizer.html
https://www.openwall.com/lists/oss-security/2016/02/17/9
That said I do not know if that is still an issue as per today, but
raising this question on topic.
I noticed that too when filing #973932. Some other links said ASAN has
both false positives and false negatives when used together with
FORTIFY_SOURCE:
https://github.com/google/sanitizers/issues/247
I agree that mp3gain should disable ASAN when #973932 is fixed.
