[Secure-testing-commits] r58772 - in data: . CVE

Raphaël Hertzog hertzog at moszumanska.debian.org
Thu Dec 21 10:02:22 UTC 2017 

Author: hertzog
Date: 2017-12-21 10:02:22 +0000 (Thu, 21 Dec 2017)
New Revision: 58772

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
Reclassify mp3gain CVE since I marked the package as unsupported

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-12-21 09:51:33 UTC (rev 58771)
+++ data/CVE/list	2017-12-21 10:02:22 UTC (rev 58772)
@@ -17164,24 +17164,31 @@
 	NOT-FOR-US: D-Link
 CVE-2017-14412 (An invalid memory write was discovered in copy_mp in interface.c in ...)
 	- mp3gain <removed>
+	[wheezy] - mp3gain <end-of-life>
 	NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-invalid-memory-write-in-copy_mp-mpglibdblinterface-c/
 CVE-2017-14411 (A stack-based buffer overflow was discovered in copy_mp in interface.c ...)
 	- mp3gain <removed>
+	[wheezy] - mp3gain <end-of-life>
 	NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-stack-based-buffer-overflow-in-copy_mp-mpglibdblinterface-c/
 CVE-2017-14410 (A buffer over-read was discovered in III_i_stereo in layer3.c in ...)
 	- mp3gain <removed>
+	[wheezy] - mp3gain <end-of-life>
 	NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-global-buffer-overflow-in-iii_i_stereo-mpglibdbllayer3-c/
 CVE-2017-14409 (A buffer overflow was discovered in III_dequantize_sample in layer3.c ...)
 	- mp3gain <removed>
+	[wheezy] - mp3gain <end-of-life>
 	NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-global-buffer-overflow-in-iii_dequantize_sample-mpglibdbllayer3-c/
 CVE-2017-14408 (A stack-based buffer over-read was discovered in dct36 in layer3.c in ...)
 	- mp3gain <removed>
+	[wheezy] - mp3gain <end-of-life>
 	NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-stack-based-buffer-overflow-in-dct36-mpglibdbllayer3-c/
 CVE-2017-14407 (A stack-based buffer over-read was discovered in filterYule in ...)
 	- mp3gain <removed>
+	[wheezy] - mp3gain <end-of-life>
 	NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-stack-based-buffer-overflow-in-filteryule-gain_analysis-c/
 CVE-2017-14406 (A NULL pointer dereference was discovered in sync_buffer in interface.c ...)
 	- mp3gain <removed>
+	[wheezy] - mp3gain <end-of-life>
 	NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-null-pointer-dereference-in-sync_buffer-mpglibdblinterface-c/
 CVE-2017-14405 (The EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote ...)
 	NOT-FOR-US: EyesOfNetwork (EON)
@@ -21198,9 +21205,11 @@
 	RESERVED
 CVE-2017-12912 (The "mpglibDBL/layer3.c" file in MP3Gain 1.5.2.r2 has a vulnerability ...)
 	- mp3gain <removed>
+	[wheezy] - mp3gain <end-of-life>
 	NOTE: https://drive.google.com/open?id=0B9DojFnTUSNGeS1hZlJkeGVkYlU
 CVE-2017-12911 (The "apetag.c" file in MP3Gain 1.5.2.r2 has a vulnerability which ...)
 	- mp3gain <removed>
+	[wheezy] - mp3gain <end-of-life>
 	NOTE: https://drive.google.com/open?id=0B9DojFnTUSNGeS1hZlJkeGVkYlU
 CVE-2017-12910 (SQL injection vulnerability in massmail.php in NexusPHP 1.5 allows ...)
 	NOT-FOR-US: NexusPHP

Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt	2017-12-21 09:51:33 UTC (rev 58771)
+++ data/dla-needed.txt	2017-12-21 10:02:22 UTC (rev 58772)
@@ -59,16 +59,7 @@
   NOTE: 20171120: wip, currently working on it with upstream, might take a while
   NOTE: Some issues currently in upstream's bug tracker are missing a CVE number, so number of issues might increase in the next weeks
 --
-mp3gain
-  NOTE: Successfully reproduced CVE-2017-144{09, 07} but couldn't reproduce CVE-2017-144{06, 08, 10, 11, 12} (valgrind in Wheezy, gcc+asan in Jessie).
-  NOTE: Bundles a modified, old version of mpg123 under mpglibDBL/, so issues might be already discovered/fixed in mpg123 or lame:
-  NOTE: For CVE-2017-14409, https://security-tracker.debian.org/tracker/CVE-2017-9872 might be of interest, files are very similar
-  NOTE: adapting/writing patches seems to be very time consuming, mp3gain is dead upstream so this might be a candidate for no-dsa -- Hugo Lefeuvre
---
 ohcount
-  NOTE: No upstream bug tracker found (except on old copies of the code on
-  NOTE: github). Pinged sourceforge project owner with sourceforge's
-  NOTE: integrated messaging feature. -- Raphaël Hertzog
 --
 python2.6
   NOTE: webbrowser.py as binary is hard to exploit, but when using it as an import then it may be possible to trigger something. Should be fixed to be on the safe side even though it is not an urgent problem.

More information about the Secure-testing-commits mailing list