Package: release.debian.org Severity: normal Tags: wheezy User: release.debian....@packages.debian.org Usertags: pu
mp3gain, an implementation of ReplayGain volume normalization, contains a very old modified version of mpglib, an MPEG audio decoder maintained as part of mpg123. Gustavo Grieco reported a buffer overflow in this mpglib fork (#740268), which he suspects can be exploited for arbitrary code execution if a user runs mp3gain on crafted input. While researching the situation, I found several old vulnerabilities in mpg123 which seem to be applicable to mp3gain's copy (CVE-2003-0577, CVE-2004-0805, CVE-2004-0991, CVE-2006-1655); the vulnerability that Gustavo found appears to be one of those. Some of those CVEs might not actually be exploitable in mp3gain - a couple of them are specific to MPEG layer 2, which it refuses to analyze anyway - but it seemed safer to patch them all. The security team asked me to handle this as a stable update. I have opened a serious bug against mp3gain (#742111) and removed it from testing (#742112), because I don't think it should be in Debian 8. Exploits which might be useful for testing, none of which appear to have any effect on the patched mp3gain in a wheezy VM: https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=PoC.mp3;att=1;bug=740268 (Gustavo's proof-of-concept) http://www.exploit-db.com/exploits/1634/ http://www.exploit-db.com/exploits/22147/ A proposed debdiff is attached. I'll change wheezy-security to wheezy for the stable upload - I prepared it before I got an answer from the security team. I haven't tested a squeeze update yet; I expect that it would look remarkably similar. Let me know if you'd like me to prepare one of those. Regards, S -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140319235441.ga28...@reptile.pseudorandom.co.uk
