Forum Thread: "Lame" update lames

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
Sector "Lame" update lames
Member 24th Oct, 2017 14:52
Ranking: 2
Posts: 2
User Since: 24th Oct, 2017
System Score: N/A
Location: DE
Hi there,

when prompted by Secunia I tried several ways to update the "Lame" mp3 assistant for "Audacity". But the Secunia window stays all the time unchanged and constantly anew requires the "Lame" update.

I located the "Lame" update in C:\Windows\ Users\Administrator\Documents - and "Audacity"
accepted this connection. Could it be that the Secunia System Score is not capable to register it in this location?

Thanks for any hints
Sector

Maurice Joyce RE: "Lame" update lames
Handling Contributor 25th Oct, 2017 10:00
Score: 12325
Posts: 9,569
User Since: 4th Jan 2009
System Score: N/A
Location: UK
What programme is PSI showing as vulnerable after a full scan? Is it Audacity?

When you right click on the listed entry to the vulnerable file and select SHOW DETAILS what is the full path including the file version number that PSI gives you?


--
Maurice

Microsoft Surface 4 Intel i7 64Bit
Windows 10 Pro version 1803 Build 17134.81
16 GB RAM
IE & Edge Only
Was this reply relevant?
+1
-0

Charlie83672

RE: "Lame" update lames
[+]
This reply has been deleted

Charlie83672

RE: "Lame" update lames
[+]
This reply has been deleted

Charlie83672

RE: "Lame" update lames
[+]
This reply has been deleted
Charlie83672 RE: "Lame" update lames
Member 25th Oct, 2017 19:34
Score: 14
Posts: 17
User Since: 16th Dec 2010
System Score: N/A
Location: N/A
Speaking only about and from my limited experience

Secunia PSI said my Audacity 2.1.3.0 is up to date, but flagged LAME 3.99.2.3 as insecure. My understanding of the Audacity to LAME relationship is that, for legal reasons, Audacity does NOT include an MP3 encoder, but Audacity menu Edit Preferences Libraries provides to the user the ability to point to a LAME MP3 encoder named lame_enc.dll located elsewhere on your hard drive.
Was this reply relevant?
+0
-0
Charlie83672 RE: "Lame" update lames
Member 25th Oct, 2017 19:35
Score: 14
Posts: 17
User Since: 16th Dec 2010
System Score: N/A
Location: N/A
So it is version 3.99.2.3 of LAME, and not Audacity, which is flagged by Secunia and is insecure.

Secunia recommends the current version of LAME which is 3.100. Unfortunately, when I obtained a dll file with that version number, I found that Audacity 2.1.3.0 will not accept it, saying "You are linking to lame_enc.dll v3.100. This version is not compatible with Audacity 2.1.3. Please download the latest version of the LAME MP3 library." Well, it is the latest version, but Audacity doesn't know that yet!

I believe 3.100 was released about two weeks ago, and I guess the Audacity folk will need to update Audacity to accept it. Maybe I'll see if it's possible to tweak the version number and fool Audacity?

But wait! There's more. . . .
Was this reply relevant?
+0
-0
Charlie83672 RE: "Lame" update lames
Member 25th Oct, 2017 19:37
Score: 14
Posts: 17
User Since: 16th Dec 2010
System Score: N/A
Location: N/A
The Secunia advisory 62995 says that "The vulnerability is confirmed in [LAME] version 3.99.5 and reported in versions prior to 3.100." However, I did obtain a version of lame_enc.dll internally named both "3.99.2.5" and "3.99 release 5" and that one works with Audacity and is not flagged by Secunia.

Still confused, I finally did "Show details" [as usual, Maurice gave great advice] on the "LAME 3.x" line item of the PSI report page, and saw that it is only the lame.EXE that is flagged, not the DLL. So I got rid of the LAME.exe 3.99.2.3 and in fact all the LAME exe files prior to 3.100. Audacity 2.1.3 appears to work well with exporting MP3s using either the 3.99.2.3 or the 3.99.2.5 version of the lame_enc.dll and PSI is also happy now.

Not that I can recommend anything about what you should do with your device, but here's a path. Find your one file named Lame.EXE which PSI flagged and get rid of it. Keep everything else. Then PSI scan and try exporting an mp3 with Audacity. I'm guessing that will work.

Charlie
PS I found some of these files and info at or through these --
http://manual.audacityteam.org/man/faq_installatio...
http://lame.buanzo.org (also recommended by Audacity folks)
http://www.rarewares.org/mp3-lame-libraries.php (also recommended by LAME folks)
http://lame.buanzo.com.ar/ (also recommended by LAME folks)

Was this reply relevant?
+6
-0
Sector RE: "Lame" update lames
Member 29th Oct, 2017 18:41
Score: 2
Posts: 2
User Since: 24th Oct 2017
System Score: N/A
Location: DE
Hi,

I have to thank both friends, Maurice and Charlie,for helpful informations about the skillful handling of my Secunia difficulties. Charlie's broad studies will even be useful in the case of some problems that go beyond my special case.

For the solution of the problem (updating "Lame" factually, but without being recognized by Secunia)I have especially picked up an advice of Maurice, who recommended to right-click (in the Secunia window) the icon of the problem program and just to choose then "Show details." Indeed this uncovered the path to the registration location that is decisive for the haptic sense of Secunia. When I placed the new download there, the system recognised and accepted it.

So I think we advanced successfully some way together. Thanks again.
Sector
Was this reply relevant?
+2
-0

This thread has been marked as locked.