Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: rm
As described in the 'serious' bug I just filed against it, mp3gain
contains a 10ish-year-old embedded code copy of mpglib (originating from
src:mpg123, I think) with known buffer overflows (including 'grave' bug
#740268).
I've just uploaded 1.5.2-r2-6 to fix the known buffer overflows, but
the coding style is such that there are probably more exploitable overflows
that we don't know about, so I don't think it should be in jessie.
I might ask the ftp-masters to remove it from unstable at some
point, but for the moment I think it'll be easier to do
stable updates if it still exists in unstable, so I'm only
asking for testing removal right now.
Thanks,
S
--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/20140319102429.ga31...@reptile.pseudorandom.co.uk
