On Mon, Nov 16, 2020 at 04:14:30AM +0100, Adam Borowski wrote: > Package: mp3gain > Version: 1.6.2-1+b1 > Severity: important > > Trying to run mp3gain results in: > ==23813==ASan runtime does not come first in initial library list; > you should either link runtime to your application or manually > preload it with LD_PRELOAD. > > And indeed, invoking it as: > LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libasan.so.6 mp3gain -p -a *mp3 > does the trick.
It looks that back in 2014 this was added to mitigate the stack buffer overflows from #740268. But as far I understand, compiling with ASAN was not recommended to be in general used as hardening measure, there were reports back in 2016 as https://blog.hboeck.de/archives/879-Safer-use-of-C-code-running-Gentoo-with-Address-Sanitizer.html https://www.openwall.com/lists/oss-security/2016/02/17/9 That said I do not know if that is still an issue as per today, but raising this question on topic. Regards, Salvatore
