Package: mp3gain
Version: 1.5.1-4
Severity: serious
Tags: security
["serious" severity because having looked through its implementation,
in my opinion this software should not be in Debian 8.]
mp3gain contains a modified copy of mpglib, an MP3 decoding library
originating from src:mpg123 and also found in a forked or modified form
in various other packages. It is unclear how old our particular copy is; it
says "version 0.2a" but the version in mpg123 appears to have been stuck at
version 0.2 for at least a decade.
mpglib has had various security vulnerabilities in the past, and mp3gain
appears to have inherited them. I've just done an upload fixing the ones
for which I could find patches in mpg123, but I am not at all confident
that I found everything. I intend to switch to python-rgain (which uses
GStreamer, and produces compatible ID3 tags) and avoid using mp3gain
myself in future.
If mp3gain exists in Debian, it should decode MP3s using a shared
library of some sort - perhaps libmpg123, GStreamer or libavcodec -
that is maintained by people who know the relevant codebase.
S
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
