Stefan Fritsch pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a41aca5e by Stefan Fritsch at 2020-11-07T19:29:33+01:00
Update mp3gain info
mp3gain has been re-introduced into Debian. It no longer embeds
mpg123.
- - - - -
2 changed files:
- data/CVE/list
- data/embedded-code-copies
Changes:
=====================================
data/CVE/list
=====================================
@@ -72468,7 +72468,8 @@ CVE-2019-18361 (JetBrains IntelliJ IDEA before 2019.2
allows local user privileg
CVE-2019-18360 (In JetBrains Hub versions earlier than 2019.1.11738, username
enumerat ...)
NOT-FOR-US: JetBrains
CVE-2019-18359 (A buffer over-read was discovered in ReadMP3APETag in apetag.c
in MP3G ...)
- - mp3gain <removed>
+ - mp3gain <unfixed>
+ NOTE: SuSE fix:
https://build.opensuse.org/package/view_file/openSUSE:Maintenance:12304/mp3gain.openSUSE_Leap_15.1_Update/0001-fix-security-bugs.patch?rev=0db47562b2545871d0be3fc88083e0cd
CVE-2019-18358
RESERVED
CVE-2019-18357 (An XSS issue was discovered in Thycotic Secret Server before
10.7 (iss ...)
@@ -151123,13 +151124,15 @@ CVE-2018-10779 (TIFFWriteScanline in tif_write.c in
LibTIFF 3.8.2 has a heap-bas
NOTE: bmp2tiff was removed in 4.0.6-3 and DSA 3762, marking as fixed
although
NOTE: technically still present in the source package
CVE-2018-10778 (Read access violation in the III_dequantize_sample function in
mpglibD ...)
- - mp3gain <removed>
+ - mp3gain 1.6.2-1
[wheezy] - mp3gain <end-of-life> (Not supported in Wheezy)
CVE-2018-10777 (Buffer overflow in the WriteMP3GainAPETag function in apetag.c
in mp3g ...)
- - mp3gain <removed>
+ - mp3gain 1.6.2-1
[wheezy] - mp3gain <end-of-life> (Not supported in Wheezy)
+ NOTE: Fixed according to https://sourceforge.net/p/mp3gain/bugs/43/
+ NOTE: According to the CVE this is caught by FORTIFY_SOURCE, so no real
vulnerability.
CVE-2018-10776 (The getbits function in mpglibDBL/common.c in mp3gain through
1.5.2-r2 ...)
- - mp3gain <removed>
+ - mp3gain 1.6.2-1
[wheezy] - mp3gain <end-of-life> (Not supported in Wheezy)
CVE-2018-10775 (NULL pointer dereference in the _fields_add function in
fields.c in li ...)
- bibutils <unfixed> (unimportant; bug #898135)
@@ -190478,31 +190481,33 @@ CVE-2017-14414 (D-Link DIR-850L REV. A (with
firmware through FW114WWb07_h2ab_be
CVE-2017-14413 (D-Link DIR-850L REV. A (with firmware through
FW114WWb07_h2ab_beta1) d ...)
NOT-FOR-US: D-Link
CVE-2017-14412 (An invalid memory write was discovered in copy_mp in
interface.c in mp ...)
- - mp3gain <removed>
+ - mp3gain 1.6.2-1
[wheezy] - mp3gain <end-of-life>
NOTE:
https://blogs.gentoo.org/ago/2017/09/08/mp3gain-invalid-memory-write-in-copy_mp-mpglibdblinterface-c/
CVE-2017-14411 (A stack-based buffer overflow was discovered in copy_mp in
interface.c ...)
- - mp3gain <removed>
+ - mp3gain 1.6.2-1
[wheezy] - mp3gain <end-of-life>
NOTE:
https://blogs.gentoo.org/ago/2017/09/08/mp3gain-stack-based-buffer-overflow-in-copy_mp-mpglibdblinterface-c/
CVE-2017-14410 (A buffer over-read was discovered in III_i_stereo in layer3.c
in mpgli ...)
- - mp3gain <removed>
+ - mp3gain CVE-2018-10776
[wheezy] - mp3gain <end-of-life>
NOTE:
https://blogs.gentoo.org/ago/2017/09/08/mp3gain-global-buffer-overflow-in-iii_i_stereo-mpglibdbllayer3-c/
CVE-2017-14409 (A buffer overflow was discovered in III_dequantize_sample in
layer3.c ...)
- - mp3gain <removed>
+ - mp3gain CVE-2018-10776
[wheezy] - mp3gain <end-of-life>
NOTE:
https://blogs.gentoo.org/ago/2017/09/08/mp3gain-global-buffer-overflow-in-iii_dequantize_sample-mpglibdbllayer3-c/
CVE-2017-14408 (A stack-based buffer over-read was discovered in dct36 in
layer3.c in ...)
- - mp3gain <removed>
+ - mp3gain CVE-2018-10776
[wheezy] - mp3gain <end-of-life>
NOTE:
https://blogs.gentoo.org/ago/2017/09/08/mp3gain-stack-based-buffer-overflow-in-dct36-mpglibdbllayer3-c/
CVE-2017-14407 (A stack-based buffer over-read was discovered in filterYule in
gain_an ...)
- - mp3gain <removed>
+ - mp3gain 1.6.2-1
[wheezy] - mp3gain <end-of-life>
NOTE:
https://blogs.gentoo.org/ago/2017/09/08/mp3gain-stack-based-buffer-overflow-in-filteryule-gain_analysis-c/
+ NOTE: Not reproducible with 1.6.2.
+ NOTE: Caught by ASAN according to CVE. mp3gain is compiled with ASAN
on: amd64 i386 armel armhf powerpc
CVE-2017-14406 (A NULL pointer dereference was discovered in sync_buffer in
interface. ...)
- - mp3gain <removed>
+ - mp3gain 1.6.2-1
[wheezy] - mp3gain <end-of-life>
NOTE:
https://blogs.gentoo.org/ago/2017/09/08/mp3gain-null-pointer-dereference-in-sync_buffer-mpglibdblinterface-c/
CVE-2017-14405 (The EyesOfNetwork web interface (aka eonweb) 5.1-0 allows
remote comma ...)
@@ -194561,11 +194566,11 @@ CVE-2017-12914
CVE-2017-12913
RESERVED
CVE-2017-12912 (The "mpglibDBL/layer3.c" file in MP3Gain 1.5.2.r2 has a
vulnerability ...)
- - mp3gain <removed>
+ - mp3gain 1.6.2-1
[wheezy] - mp3gain <end-of-life>
NOTE: https://drive.google.com/open?id=0B9DojFnTUSNGeS1hZlJkeGVkYlU
CVE-2017-12911 (The "apetag.c" file in MP3Gain 1.5.2.r2 has a vulnerability
which resu ...)
- - mp3gain <removed>
+ - mp3gain 1.6.2-1
[wheezy] - mp3gain <end-of-life>
NOTE: https://drive.google.com/open?id=0B9DojFnTUSNGeS1hZlJkeGVkYlU
CVE-2017-12910 (SQL injection vulnerability in massmail.php in NexusPHP 1.5
allows rem ...)
@@ -308681,7 +308686,7 @@ CVE-2014-2284 (The Linux implementation of the
ICMP-MIB in Net-SNMP 5.5 before 5
NOTE: http://sourceforge.net/p/net-snmp/mailman/message/32026655/
NOTE:
http://sourceforge.net/p/net-snmp/code/ci/a1fd64716f6794c55c34d77e618210238a73bfa1/
CVE-2014-XXXX [buffer overflow]
- - mp3gain <removed> (low; bug #740268)
+ - mp3gain 1.6.2-1 (low; bug #740268)
[squeeze] - mp3gain <no-dsa> (Minor issue)
[wheezy] - mp3gain <no-dsa> (Minor issue)
NOTE: http://sourceforge.net/p/mp3gain/bugs/36/
=====================================
data/embedded-code-copies
=====================================
@@ -2980,10 +2980,6 @@ libjs-jquery-bbq (not packaged in Debian; RFP bug
#741586; http://benalman.com/p
- ganglia-web <unfixed> (embed)
- jqapi <unfixed> (embed)
-lame
- - mp3gain <removed> (modified-embed)
- NOTE: ancient copy, part of mpglib which was probably part of mpg123 at
some point
-
zopfli
- pigz <unfixed> (embed)
- advancecomp <unfixed> (embed)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a41aca5e1e542c3628fd03f5102d514b6d22b156
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a41aca5e1e542c3628fd03f5102d514b6d22b156
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
