#1122255 mp3splt: unfixed CVEs from 2017

Package:
src:mp3splt
Source:
src:mp3splt
Submitter:
Sebastian Ramacher
Date:
2025-12-14 10:49:01 UTC
Severity:
normal
Tags:
#1122255#5
Date:
2025-12-09 12:29:29 UTC
From:
To:
Source: mp3splt
Version: 2.6.2+20170630-3.1
Severity: serious
Tags: security
X-Debbugs-Cc: sramacher@debian.org

The CVEs CVE-2017-5851, CVE-2017-5666, and CVE-2017-5665 have never been
addressed -- neither in Debian or upstream. While mp3splt might be a CLI
tool, it may be run on untrusted input. If we continue to include this
package in Debian, it should be checked whether the CVEs only allow to
trigger a crash or potentially more than that.


Cheers

#1122255#10
Date:
2025-12-14 10:44:35 UTC
From:
To:
CVE-2017-5666 was explicitly addressed in 2017 in
https://bugs.debian.org/854278

The others appear related and if you read the actual CVEs have had no
analysis of there being any *actual* impact, or whether an even remotely
plausible/playable file could trigger them, and no contemporary or
subsequent assertion that they are in any way exploitable.

Someone ran fuzz testing, saw an ASAN warning, and filed some CVEs,
probably against the wrong package, that's about it.  There has been no
apparent escalation in panic level and no confirmation that these issues
still exist, and as you can see from the only *actual* analysis in
#854278
were quite possibly fixed long before these CVEs were created, in the
package where that bug probably actually existed, in the version that
Debian was already shipping for quite some years before.

So unless you know something new, I don't think we need to turn the wolf
alarm on these up to 11 just yet :)

   Cheers,
   Ron (who did the 2017 analysis for this package)