Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#57601 - [libid3tag] multiple cves

Attached to Project: Arch Linux
Opened by Karol Babioch (kbabioch) - Wednesday, 21 February 2018, 22:15 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 21 February 2018, 23:19 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To No-one
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


CVEs in libid3tag:

- CVE-2004-2779 (already fixed?)
- CVE-2008-2109 (already fixed?)
- CVE-2017-11550
- CVE-2017-11551

Used by several high-profile applications: audacity, minidlna, mpd, easytag

Upstream is dead. All of them are fixed by the following two patches from Debian:

This task depends upon

Closed by  Doug Newgard (Scimmia)
Wednesday, 21 February 2018, 23:19 GMT
Reason for closing:  Not a bug
Comment by Karol Babioch (kbabioch) - Wednesday, 21 February 2018, 22:19 GMT
Looking at the PKGBUILD we apply the following patches:


These were probably taken from the Debian package ( They fix all of the above issues. 11_unknown_encoding.diff also fixes CVE-2008-2109 in another way than CVE-2008-2109.patch, so this could probably be dropped. It was an initial patch, which has not been merged upstream, is no longer needed and has been dropped from the Debian package.