diff options
author | Stefan Fritsch <sf@sfritsch.de> | 2020-11-07 18:48:51 +0100 |
---|---|---|
committer | Stefan Fritsch <sf@sfritsch.de> | 2020-11-07 19:29:33 +0100 |
commit | a41aca5e1e542c3628fd03f5102d514b6d22b156 (patch) | |
tree | 5cff9586153862db8cb7a978e7a57208e52c343d | |
parent | 12a3035d297a6d54636f96581f3c3e0ea9508b01 (diff) |
Update mp3gain info
mp3gain has been re-introduced into Debian. It no longer embeds
mpg123.
-rw-r--r-- | data/CVE/list | 33 | ||||
-rw-r--r-- | data/embedded-code-copies | 4 |
2 files changed, 19 insertions, 18 deletions
diff --git a/data/CVE/list b/data/CVE/list index f407e651b6..35b03afc04 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -72468,7 +72468,8 @@ CVE-2019-18361 (JetBrains IntelliJ IDEA before 2019.2 allows local user privileg CVE-2019-18360 (In JetBrains Hub versions earlier than 2019.1.11738, username enumerat ...) NOT-FOR-US: JetBrains CVE-2019-18359 (A buffer over-read was discovered in ReadMP3APETag in apetag.c in MP3G ...) - - mp3gain <removed> + - mp3gain <unfixed> + NOTE: SuSE fix: https://build.opensuse.org/package/view_file/openSUSE:Maintenance:12304/mp3gain.openSUSE_Leap_15.1_Update/0001-fix-security-bugs.patch?rev=0db47562b2545871d0be3fc88083e0cd CVE-2019-18358 RESERVED CVE-2019-18357 (An XSS issue was discovered in Thycotic Secret Server before 10.7 (iss ...) @@ -151123,13 +151124,15 @@ CVE-2018-10779 (TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a heap-bas NOTE: bmp2tiff was removed in 4.0.6-3 and DSA 3762, marking as fixed although NOTE: technically still present in the source package CVE-2018-10778 (Read access violation in the III_dequantize_sample function in mpglibD ...) - - mp3gain <removed> + - mp3gain 1.6.2-1 [wheezy] - mp3gain <end-of-life> (Not supported in Wheezy) CVE-2018-10777 (Buffer overflow in the WriteMP3GainAPETag function in apetag.c in mp3g ...) - - mp3gain <removed> + - mp3gain 1.6.2-1 [wheezy] - mp3gain <end-of-life> (Not supported in Wheezy) + NOTE: Fixed according to https://sourceforge.net/p/mp3gain/bugs/43/ + NOTE: According to the CVE this is caught by FORTIFY_SOURCE, so no real vulnerability. CVE-2018-10776 (The getbits function in mpglibDBL/common.c in mp3gain through 1.5.2-r2 ...) - - mp3gain <removed> + - mp3gain 1.6.2-1 [wheezy] - mp3gain <end-of-life> (Not supported in Wheezy) CVE-2018-10775 (NULL pointer dereference in the _fields_add function in fields.c in li ...) - bibutils <unfixed> (unimportant; bug #898135) @@ -190478,31 +190481,33 @@ CVE-2017-14414 (D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_be CVE-2017-14413 (D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) d ...) NOT-FOR-US: D-Link CVE-2017-14412 (An invalid memory write was discovered in copy_mp in interface.c in mp ...) - - mp3gain <removed> + - mp3gain 1.6.2-1 [wheezy] - mp3gain <end-of-life> NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-invalid-memory-write-in-copy_mp-mpglibdblinterface-c/ CVE-2017-14411 (A stack-based buffer overflow was discovered in copy_mp in interface.c ...) - - mp3gain <removed> + - mp3gain 1.6.2-1 [wheezy] - mp3gain <end-of-life> NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-stack-based-buffer-overflow-in-copy_mp-mpglibdblinterface-c/ CVE-2017-14410 (A buffer over-read was discovered in III_i_stereo in layer3.c in mpgli ...) - - mp3gain <removed> + - mp3gain CVE-2018-10776 [wheezy] - mp3gain <end-of-life> NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-global-buffer-overflow-in-iii_i_stereo-mpglibdbllayer3-c/ CVE-2017-14409 (A buffer overflow was discovered in III_dequantize_sample in layer3.c ...) - - mp3gain <removed> + - mp3gain CVE-2018-10776 [wheezy] - mp3gain <end-of-life> NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-global-buffer-overflow-in-iii_dequantize_sample-mpglibdbllayer3-c/ CVE-2017-14408 (A stack-based buffer over-read was discovered in dct36 in layer3.c in ...) - - mp3gain <removed> + - mp3gain CVE-2018-10776 [wheezy] - mp3gain <end-of-life> NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-stack-based-buffer-overflow-in-dct36-mpglibdbllayer3-c/ CVE-2017-14407 (A stack-based buffer over-read was discovered in filterYule in gain_an ...) - - mp3gain <removed> + - mp3gain 1.6.2-1 [wheezy] - mp3gain <end-of-life> NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-stack-based-buffer-overflow-in-filteryule-gain_analysis-c/ + NOTE: Not reproducible with 1.6.2. + NOTE: Caught by ASAN according to CVE. mp3gain is compiled with ASAN on: amd64 i386 armel armhf powerpc CVE-2017-14406 (A NULL pointer dereference was discovered in sync_buffer in interface. ...) - - mp3gain <removed> + - mp3gain 1.6.2-1 [wheezy] - mp3gain <end-of-life> NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-null-pointer-dereference-in-sync_buffer-mpglibdblinterface-c/ CVE-2017-14405 (The EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote comma ...) @@ -194561,11 +194566,11 @@ CVE-2017-12914 CVE-2017-12913 RESERVED CVE-2017-12912 (The "mpglibDBL/layer3.c" file in MP3Gain 1.5.2.r2 has a vulnerability ...) - - mp3gain <removed> + - mp3gain 1.6.2-1 [wheezy] - mp3gain <end-of-life> NOTE: https://drive.google.com/open?id=0B9DojFnTUSNGeS1hZlJkeGVkYlU CVE-2017-12911 (The "apetag.c" file in MP3Gain 1.5.2.r2 has a vulnerability which resu ...) - - mp3gain <removed> + - mp3gain 1.6.2-1 [wheezy] - mp3gain <end-of-life> NOTE: https://drive.google.com/open?id=0B9DojFnTUSNGeS1hZlJkeGVkYlU CVE-2017-12910 (SQL injection vulnerability in massmail.php in NexusPHP 1.5 allows rem ...) @@ -308681,7 +308686,7 @@ CVE-2014-2284 (The Linux implementation of the ICMP-MIB in Net-SNMP 5.5 before 5 NOTE: http://sourceforge.net/p/net-snmp/mailman/message/32026655/ NOTE: http://sourceforge.net/p/net-snmp/code/ci/a1fd64716f6794c55c34d77e618210238a73bfa1/ CVE-2014-XXXX [buffer overflow] - - mp3gain <removed> (low; bug #740268) + - mp3gain 1.6.2-1 (low; bug #740268) [squeeze] - mp3gain <no-dsa> (Minor issue) [wheezy] - mp3gain <no-dsa> (Minor issue) NOTE: http://sourceforge.net/p/mp3gain/bugs/36/ diff --git a/data/embedded-code-copies b/data/embedded-code-copies index b7aed74b58..27851bb3e0 100644 --- a/data/embedded-code-copies +++ b/data/embedded-code-copies @@ -2980,10 +2980,6 @@ libjs-jquery-bbq (not packaged in Debian; RFP bug #741586; http://benalman.com/p - ganglia-web <unfixed> (embed) - jqapi <unfixed> (embed) -lame - - mp3gain <removed> (modified-embed) - NOTE: ancient copy, part of mpglib which was probably part of mpg123 at some point - zopfli - pigz <unfixed> (embed) - advancecomp <unfixed> (embed) |