Bug#854278: marked as done (CVE-2017-5666)

Sun, 02 Jul 2017 11:13:36 -0700 

Your message dated Mon, 3 Jul 2017 03:33:40 +0930
with message-id <[email protected]>
and subject line Re: CVE-2017-5666
has caused the Debian Bug report #854278,
regarding CVE-2017-5666
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
854278: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854278
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: mp3splt
Severity: grave
Tags: security

Please see 
https://blogs.gentoo.org/ago/2017/01/29/mp3splt-invalid-free-in-free_options-options_manager-c/

Cheers,
        Moritz

--- End Message ---
--- Begin Message --- 
On Sun, 05 Feb 2017 18:37:33 +0100, Moritz Muehlenhoff wrote:
> Package: mp3splt
> Severity: grave
> Tags: security
>
> Please see 
> https://blogs.gentoo.org/ago/2017/01/29/mp3splt-invalid-free-in-free_options-options_manager-c/

>From what I can see in that thread and the upstream bug tracker,
the backtrace seems to show it failing deep in libmad, and a lot
of people seem to be failing to reproduce it, especially when
testing on Debian systems.

The best guess so far seems to be that it's actually this bug:
https://bugs.debian.org/287519

Which has been elusive since 2004, but at latest update Kurt said
he could no longer reproduce it in 2008 ...


So I'm going to close it against this package - at least until
someone can point at something concrete that's wrong in mp3splt
itself to cause this.

I've just adopted this package (and a new upload is waiting on
binary NEW, which adds the mp3splt-gtk package back again in
working order now too), so if someone has other information I'll
look into this further - but I'm not seeing anything that warrants
keeping mp3splt out of testing any longer because of this report
if libmad is where it is actually failing and needs to be fixed.

  Cheers,
  Ron

--- End Message ---

Reply via email to