Update: I was not aware that the Debian/openSUSE security patches had already been applied to master in commit b0d6a5 (2025-11-01, Bug #62). Thank you Glen for applying those.

To clarify the current status:

Fixed in master (not yet released):

  • CVE-2023-49356 — Stack buffer overflow in WriteMP3GainAPETag
  • CVE-2019-18359 — Buffer over-read in ReadMP3APETag
  • CVE-2018-10777 — Buffer overflow in WriteMP3GainAPETag
  • CVE-2017-12911 — Stack memory corruption in apetag.c

Possibly also addressed: Bugs #56–#60 (heap-buffer-overflow in ReadMP3APETag) — the Debian patch adds remaining size checks and field size validation that may cover these cases, but they were reported with specific PoC files and have not been explicitly confirmed as fixed.

Still affected (mpglibDBL, Windows binary only):
The v1.2.5 and v1.3.4 Windows binaries on the Downloads page still bundle mpglibDBL and are vulnerable to the 15 mpglibDBL-related CVEs listed above. These are mitigated when building v1.6.2 from source with system libmpg123.

Remaining suggestions:

  1. ~~Apply Debian's APE tag patches~~ — Done (b0d6a5)
  2. Remove or replace the v1.2.5/v1.3.4 Windows binaries — still applicable
  3. Create a new release from the patched master — would benefit Homebrew and other source-based distributions that don't apply their own patches
  4. Confirm whether Bugs #56–#60 are also resolved by the applied patches