On 2025-12-09 22:59, Sebastian Ramacher wrote:
The CVEs CVE-2017-5851, CVE-2017-5666, and CVE-2017-5665 have never
been
addressed -- neither in Debian or upstream. While mp3splt might be a
CLI
tool, it may be run on untrusted input. If we continue to include this
package in Debian, it should be checked whether the CVEs only allow to
trigger a crash or potentially more than that.
CVE-2017-5666 was explicitly addressed in 2017 in
https://bugs.debian.org/854278
The others appear related and if you read the actual CVEs have had no
analysis of there being any *actual* impact, or whether an even remotely
plausible/playable file could trigger them, and no contemporary or
subsequent assertion that they are in any way exploitable.
Someone ran fuzz testing, saw an ASAN warning, and filed some CVEs,
probably against the wrong package, that's about it. There has been no
apparent escalation in panic level and no confirmation that these issues
still exist, and as you can see from the only *actual* analysis in
#854278
were quite possibly fixed long before these CVEs were created, in the
package where that bug probably actually existed, in the version that
Debian was already shipping for quite some years before.
So unless you know something new, I don't think we need to turn the wolf
alarm on these up to 11 just yet :)
Cheers,
Ron (who did the 2017 analysis for this package)
