Arch Linux User Repository

Heads up on security status for anyone landing here:

aacgain bundles mpglibDBL, faad2, and mp4v2 from source, all years out of date and never patched:

• mpglibDBL: 17 unpatched CVEs total. Most severe:
• CVE-2021-34085 (Critical, CVSS 9.8) — OOB read in III_dequantize_sample
• CVE-2017-14409 (High, CVSS 7.8) — buffer overflow
• CVE-2020-15359 — stack overflow with code-execution potential (found by ForAllSecure Mayhem fuzzer, ~1,600 crashes in ~6,000 test cases)
• faad2: CVE-2008-4201 (heap buffer overflow) and several others
• mp4v2: CVE-2018-14326, CVE-2018-14379, CVE-2023-1451, CVE-2023-29584

aacgain upstream has been effectively abandoned since 2019, with the final commit in July 2022. Homebrew deprecated aacgain as unmaintained in April 2023 for the same reason.

If you only need ReplayGain tag writing, rsgain (in [extra]) covers MP3/FLAC/Opus/Ogg/M4A and is actively maintained.

If you specifically need lossless global_gain rewrite on AAC/M4A files (the original aacgain USP — for car stereos, DJ gear, and other players that ignore RG tags), mp3rgain-bin on AUR is currently the only actively-maintained option. Disclosure: I co-maintain that package.

Full CVE breakdown with sources: https://github.com/M-Igashi/mp3rgain/blob/master/docs/security.md

Not asking the current maintainer to do anything — just leaving a record so users searching for aacgain can find context.

Please use spdx license identifier.

Actually, this downloads latest stuff from a git repository. So you must replace -cvs with -git in the package name.

Also, please do not list the package itself in source (git+https://aur.archlinux.org/aacgain-cvs.git).

Thanks for maintaining!

I disabled the warning which caused the compile error, so it should build again.

I have to say that this is really bad code though...

since a few months this it's not compilling :'( , the output its in spanish, sorry about that

``En el fichero inc``luido desde src/src.h:28,
                 desde src/impl.h:6:
src/mp4file.cpp: En la función miembro ‘MP4ChapterType mp4v2::impl::MP4File::ConvertChapters(MP4ChapterType)’:
src/mp4file.cpp:2583:44: error: el formato no es una cadena literal y no tiene argumentos de formato [-Werror=format-security]
 2583 |         VERBOSE_READ(GetVerbosity(), printf(errMsg));
      |                                      ~~~~~~^~~~~~~~
src/mp4util.h:48:63: nota: en definición de macro ‘VERBOSE’
   48 |     if (((exprverbosity) & (verbosity)) == (exprverbosity)) { expr; }
      |                                                               ^~~~
src/mp4file.cpp:2583:9: nota: en expansión de macro ‘VERBOSE_READ’
 2583 |         VERBOSE_READ(GetVerbosity(), printf(errMsg));
      |         ^~~~~~~~~~~~
En el fichero incluido desde /usr/include/string.h:519,
                 desde /usr/include/c++/11.1.0/cstring:42,
                 desde ./libplatform/platform_base.h:27,
                 desde ./libplatform/platform_posix.h:31,
                 desde ./libplatform/platform.h:24,
                 desde src/src.h:6,
                 desde src/impl.h:6:
En la función ‘char* strncpy(char*, const char*, size_t)’,
    incluido en línea de ‘void mp4v2::impl::MP4File::AddNeroChapter(MP4Timestamp, const char*)’ en src/mp4file.cpp:2233:16:
/usr/include/bits/string_fortified.h:95:34: aviso: ‘char* __builtin___strncpy_chk(char*, const char*, long unsigned int, long unsigned int)’: el límite especificado depende de la longitud del argumento origen [-Wstringop-truncation]
   95 |   return __builtin___strncpy_chk (__dest, __src, __len,
      |          ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~
   96 |                                   __glibc_objsize (__dest));
      |                                   ~~~~~~~~~~~~~~~~~~~~~~~~~
src/mp4file.cpp: En la función miembro ‘void mp4v2::impl::MP4File::AddNeroChapter(MP4Timestamp, const char*)’:
src/mp4file.cpp:2232:39: nota: la longitud se calcula aquí
 2232 |         int len = min((uint32_t)strlen(chapterTitle), (uint32_t)255);
      |                                 ~~~~~~^~~~~~~~~~~~~~
En el fichero incluido desde /usr/include/string.h:519,
                 desde /usr/include/c++/11.1.0/cstring:42,
                 desde ./libplatform/platform_base.h:27,
                 desde ./libplatform/platform_posix.h:31,
                 desde ./libplatform/platform.h:24,
                 desde src/src.h:6,
                 desde src/impl.h:6:
En la función ‘char* strncpy(char*, const char*, size_t)’,
    incluido en línea de ‘MP4TrackId mp4v2::impl::MP4File::FindChapterReferenceTrack(MP4TrackId, char*, int)’ en src/mp4file.cpp:2264:28:
/usr/include/bits/string_fortified.h:95:34: aviso: ‘char* __builtin_strncpy(char*, const char*, long unsigned int)’: el límite especificado depende de la longitud del argumento origen [-Wstringop-truncation]
   95 |   return __builtin___strncpy_chk (__dest, __src, __len,
      |          ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~
   96 |                                   __glibc_objsize (__dest));
      |                                   ~~~~~~~~~~~~~~~~~~~~~~~~~
src/mp4file.cpp: En la función miembro ‘MP4TrackId mp4v2::impl::MP4File::FindChapterReferenceTrack(MP4TrackId, char*, int)’:
src/mp4file.cpp:2263:55: nota: la longitud se calcula aquí
 2263 |                     int nameLen = min((uint32_t)strlen(name), (uint32_t)trackNameSize);
      |                                                 ~~~~~~^~~~~~
En el fichero incluido desde /usr/include/string.h:519,
                 desde /usr/include/c++/11.1.0/cstring:42,
                 desde ./libplatform/platform_base.h:27,
                 desde ./libplatform/platform_posix.h:31,
                 desde ./libplatform/platform.h:24,
                 desde src/src.h:6,
                 desde src/impl.h:6:
En la función ‘char* strncpy(char*, const char*, size_t)’,
    incluido en línea de ‘MP4ChapterType mp4v2::impl::MP4File::GetChapters(MP4Chapter_t**, uint32_t*, MP4ChapterType)’ en src/mp4file.cpp:2468:20:
/usr/include/bits/string_fortified.h:95:34: aviso: ‘char* __builtin_strncpy(char*, const char*, long unsigned int)’: el límite especificado depende de la longitud del argumento origen [-Wstringop-truncation]
   95 |   return __builtin___strncpy_chk (__dest, __src, __len,
      |          ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~
   96 |                                   __glibc_objsize (__dest));
      |                                   ~~~~~~~~~~~~~~~~~~~~~~~~~
src/mp4file.cpp: En la función miembro ‘MP4ChapterType mp4v2::impl::MP4File::GetChapters(MP4Chapter_t**, uint32_t*, MP4ChapterType)’:
src/mp4file.cpp:2467:48: nota: la longitud se calcula aquí
 2467 |             uint32_t len = min((uint32_t)strlen(name), (uint32_t)MP4V2_CHAPTER_TITLE_MAX);
      |                                          ~~~~~~^~~~~~
En el fichero incluido desde /usr/include/string.h:519,
                 desde /usr/include/c++/11.1.0/cstring:42,
                 desde ./libplatform/platform_base.h:27,
                 desde ./libplatform/platform_posix.h:31,
                 desde ./libplatform/platform.h:24,
                 desde src/src.h:6,
                 desde src/impl.h:6:
En la función ‘char* strncpy(char*, const char*, size_t)’,
    incluido en línea de ‘void mp4v2::impl::MP4File::AddChapter(MP4TrackId, MP4Duration, const char*)’ en src/mp4file.cpp:2174:20:
/usr/include/bits/string_fortified.h:95:34: aviso: ‘char* __builtin___strncpy_chk(char*, const char*, long unsigned int, long unsigned int)’: el límite especificado depende de la longitud del argumento origen [-Wstringop-truncation]
   95 |   return __builtin___strncpy_chk (__dest, __src, __len,
      |          ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~
   96 |                                   __glibc_objsize (__dest));
      |                                   ~~~~~~~~~~~~~~~~~~~~~~~~~
src/mp4file.cpp: En la función miembro ‘void mp4v2::impl::MP4File::AddChapter(MP4TrackId, MP4Duration, const char*)’:
src/mp4file.cpp:2171:39: nota: la longitud se calcula aquí
 2171 |         textLen = min((uint32_t)strlen(chapterTitle), (uint32_t)MP4V2_CHAPTER_TITLE_MAX);
      |                                 ~~~~~~^~~~~~~~~~~~~~
cc1plus: algunos avisos se tratan como errores
make: *** [GNUmakefile:1316: src/mp4file.lo] Error 1
==> ERROR: Se produjo un fallo en build().
    Cancelando...

Yes, my change to adjust the compile flags seems to be wrong. Your approach should work, but it seems safer to just change the makefile instead. Which was actually suggested by pitbuster in the first place.

I modified the package build accordingly. Perhaps you could check that it still works on ARM. I am not really using the package...

Thank you for adding ARM, oliver.anhuth. I can confirm this builds on arm7h (RPi).

Just a minor thing: I'm getting this warning a lot:

warning: #warning _FORTIFY_SOURCE requires compiling with optimization (-O) [-Wcpp]

I think the problem is that pitbuster's suggestion overrides all the compiler flags, including optimisations. I fixed this by editing the line so that it appends to the environment (so makepkg.conf) CXXFLAGS:

make libmp4v2.la CXXFLAGS="$CXXFLAGS -Wno-narrowing"

In fact, I moved this option to the configure line instead of the make line, but I'm not sure if either is preferable? Both seem to work - tested on arm7h and x86_64.

Thanks! Added -Wno-narrowing to the mp4v2 build flags. Let's see how long this can stay afloat...

The build is throwing -Wnarrowing errors. I got it to locally compile by doing some manual patching on the mp4v2 source, but I think adding -Wno-narrowing in the Makefiles should be better.

It is not compiling. It's giving this error:

ERROR: A failure occurred in build(). Aborting... :: Unable to build aacgain-cvs - makepkg exited with code: 4