Ubuntu
lame package

[MIR] lame

Bug #1753441 reported by Iain Lane
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lame (Ubuntu)
Fix Released
Undecided
Adam Conrad

Bug Description

Availability
============
Built for all supported architectures. In sync with Debian.

Rationale
=========
For the 1.14 series, GStreamer upstream moved MP3 encoding and decoding into gst-plugins-good. These are installed by default, and so now we can have MP3 support in the default install. The desktop team would like this feature.

For that, it uses some libraries and we'll need to put them in main.

Security
========
There are some CVEs in the history of the project.

https://security-tracker.debian.org/tracker/source-package/lame
https://people.canonical.com/~ubuntu-security/cve/pkg/lame.html

The Ubuntu CVE page lists some 'needed' ones but from looking at those ones in Debian they are duplicates and should be fixed already.

Quality assurance
=================
Desktop team is subscribed.

Bugs
----

https://bugs.launchpad.net/ubuntu/+source/lame
https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=yes&src=lame

I think they are reasonably calm given that this is a well known project.

Dependencies
============

We need libmp3lame0 in main, and this depends on libc6 only.

Standards compliance
====================

4.1.1 and dh minimal style rules.

Maintenance
===========
Desktop team will maintain. In Debian this is maintained by the multimedia team, which is active. We don't envisage the package diverging from Debian.

CVE References

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

This package has a long security history, and a currently left-open CVE because the upload of 3.100 did not include closing the active CVE.

If there's a go-ahead from the Security Team (I'm not looking for a code review, just an acknowledgement that they are aware of the requirement for this package, and are fine with its current general state); then I see no issues with this MIR.

Changed in lame (Ubuntu):
status: New → Incomplete
Revision history for this message
Emily Ratliff (emilyr) wrote :

+1 from security team for this to go forward. We will not be doing a code review at this time.

Mathieu Trudel-Lapierre (cyphermox)
Changed in lame (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I just researched current open CVEs in bionic. The only one open is CVE-2017-15019, which is a minor issue.

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Go for libmp3lame0, on the condition that CVE-2017-15019 be looked into.

Changed in lame (Ubuntu):
status: Incomplete → Fix Committed
assignee: Ubuntu Security Team (ubuntu-security) → nobody
assignee: nobody → Iain Lane (laney)
Revision history for this message
Adam Conrad (adconrad) wrote :

lame 3.100-2 in bionic: universe/sound -> main
lame 3.100-2 in bionic amd64: universe/sound/optional/100% -> main
lame 3.100-2 in bionic arm64: universe/sound/optional/100% -> main
lame 3.100-2 in bionic armhf: universe/sound/optional/100% -> main
lame 3.100-2 in bionic i386: universe/sound/optional/100% -> main
lame 3.100-2 in bionic ppc64el: universe/sound/optional/100% -> main
lame 3.100-2 in bionic s390x: universe/sound/optional/100% -> main
lame-doc 3.100-2 in bionic amd64: universe/doc/optional/100% -> main
lame-doc 3.100-2 in bionic arm64: universe/doc/optional/100% -> main
lame-doc 3.100-2 in bionic armhf: universe/doc/optional/100% -> main
lame-doc 3.100-2 in bionic i386: universe/doc/optional/100% -> main
lame-doc 3.100-2 in bionic ppc64el: universe/doc/optional/100% -> main
lame-doc 3.100-2 in bionic s390x: universe/doc/optional/100% -> main
libmp3lame-dev 3.100-2 in bionic amd64: universe/libdevel/optional/100% -> main
libmp3lame-dev 3.100-2 in bionic arm64: universe/libdevel/optional/100% -> main
libmp3lame-dev 3.100-2 in bionic armhf: universe/libdevel/optional/100% -> main
libmp3lame-dev 3.100-2 in bionic i386: universe/libdevel/optional/100% -> main
libmp3lame-dev 3.100-2 in bionic ppc64el: universe/libdevel/optional/100% -> main
libmp3lame-dev 3.100-2 in bionic s390x: universe/libdevel/optional/100% -> main
libmp3lame0 3.100-2 in bionic amd64: universe/libs/optional/100% -> main
libmp3lame0 3.100-2 in bionic arm64: universe/libs/optional/100% -> main
libmp3lame0 3.100-2 in bionic armhf: universe/libs/optional/100% -> main
libmp3lame0 3.100-2 in bionic i386: universe/libs/optional/100% -> main
libmp3lame0 3.100-2 in bionic ppc64el: universe/libs/optional/100% -> main
libmp3lame0 3.100-2 in bionic s390x: universe/libs/optional/100% -> main
Override [y|N]? y
25 publications overridden.

Changed in lame (Ubuntu):
status: Fix Committed → Fix Released
assignee: Iain Lane (laney) → Adam Conrad (adconrad)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.