Source: mp3splt Version: 2.6.2+20170630-3.1 Severity: serious Tags: security X-Debbugs-Cc: [email protected]
The CVEs CVE-2017-5851, CVE-2017-5666, and CVE-2017-5665 have never been addressed -- neither in Debian or upstream. While mp3splt might be a CLI tool, it may be run on untrusted input. If we continue to include this package in Debian, it should be checked whether the CVEs only allow to trigger a crash or potentially more than that. Cheers -- Sebastian Ramacher
