Bug#987168: marked as done (fluidsynth: CVE-2021-28421)
Your message dated Mon, 03 May 2021 18:17:08 +0000
with message-id <E1ldd80-0002GB-Bh@fasolo.debian.org>
and subject line Bug#987168: fixed in fluidsynth 1.1.11-1+deb10u1
has caused the Debian Bug report #987168,
regarding fluidsynth: CVE-2021-28421
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
987168: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987168
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: fluidsynth: CVE-2021-28421
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sun, 18 Apr 2021 20:57:39 +0200
- Message-id: <161877225936.2395285.18435480018124322219.reportbug@eldamar.lan>
Source: fluidsynth
Version: 2.1.7-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/FluidSynth/fluidsynth/issues/808
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for fluidsynth, filling it
as grave to be on safe side because of the use after free aspect. Let
me know if you disagree and we can downgrade. Still ideally it is
fixed for bullseye. It was othrwise marked no-dsa for buster, deemed
enought to be fixed via a point release.
CVE-2021-28421[0]:
| FluidSynth 2.1.7 contains a use after free vulnerability in
| sfloader/fluid_sffile.c that can result in arbitrary code execution or
| a denial of service (DoS) if a malicious soundfont2 file is loaded
| into a fluidsynth library.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-28421
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28421
[1] https://github.com/FluidSynth/fluidsynth/issues/808
[2] https://github.com/FluidSynth/fluidsynth/pull/810
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: fluidsynth
Source-Version: 1.1.11-1+deb10u1
Done: Reiner Herrmann <reiner@reiner-h.de>
We believe that the bug you reported is fixed in the latest version of
fluidsynth, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 987168@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reiner Herrmann <reiner@reiner-h.de> (supplier of updated fluidsynth package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 24 Apr 2021 18:46:20 +0200
Source: fluidsynth
Binary: fluidsynth fluidsynth-dbgsym libfluidsynth-dev libfluidsynth1 libfluidsynth1-dbgsym
Architecture: source amd64
Version: 1.1.11-1+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Reiner Herrmann <reiner@reiner-h.de>
Description:
fluidsynth - Real-time MIDI software synthesizer
libfluidsynth-dev - Real-time MIDI software synthesizer (development files)
libfluidsynth1 - Real-time MIDI software synthesizer (runtime library)
Closes: 987168
Changes:
fluidsynth (1.1.11-1+deb10u1) buster; urgency=medium
.
* Non-maintainer upload.
* Backport fix for use-after-free vulnerability. (CVE-2021-28421)
(Closes: #987168)
Checksums-Sha1:
415d2ae898416ff2d24717dbdf967a223b124f98 2377 fluidsynth_1.1.11-1+deb10u1.dsc
e86a98b7a09d60e29edcb10f87da6433b2d0c485 634566 fluidsynth_1.1.11.orig.tar.gz
323dca1c57b9fb93455c1bdd8cae04bbecae61c7 14596 fluidsynth_1.1.11-1+deb10u1.debian.tar.xz
2e03e367352b608ae5ca74de8c4c509a5debf6b0 21324 fluidsynth-dbgsym_1.1.11-1+deb10u1_amd64.deb
b88aa31a0bfc20a803d9903b090f3fbd37beb063 9777 fluidsynth_1.1.11-1+deb10u1_amd64.buildinfo
8b00257861b50f6d3ff9634f7736acc522b99665 50396 fluidsynth_1.1.11-1+deb10u1_amd64.deb
0095ba0371a6c217dbe1941e4abcc8eb260b08be 48912 libfluidsynth-dev_1.1.11-1+deb10u1_amd64.deb
2407e01ea0be418f5cd00223c8c7665a529dd339 508596 libfluidsynth1-dbgsym_1.1.11-1+deb10u1_amd64.deb
8e56d77e9a7ffff12e3ee6336a1a82568d7ee752 167192 libfluidsynth1_1.1.11-1+deb10u1_amd64.deb
Checksums-Sha256:
f9e1902e05e468ec439721d673f7543552ea4435ee241dcc53f083e29c566012 2377 fluidsynth_1.1.11-1+deb10u1.dsc
da8878ff374d12392eecf87e96bad8711b8e76a154c25a571dd8614d1af80de8 634566 fluidsynth_1.1.11.orig.tar.gz
db60ca3efe75b278992ca1d4231f9c67ab5647d019c9c43f1fb05cd6a70095e2 14596 fluidsynth_1.1.11-1+deb10u1.debian.tar.xz
541f4582d72f980f9509151908cdee8fb615cb5c7a00645909c591298995d468 21324 fluidsynth-dbgsym_1.1.11-1+deb10u1_amd64.deb
e24d31fde540faa476513fa248d40b361e33f7edfac27e132f1e850a8037261d 9777 fluidsynth_1.1.11-1+deb10u1_amd64.buildinfo
57a7e89d3e7be61550c647e49c633074eaf66b4bada58663de5162178eab5202 50396 fluidsynth_1.1.11-1+deb10u1_amd64.deb
82e9768eb6a950e7ebebe4a43b7f8aa794b0645c59857ec2d9ec933e1a056b84 48912 libfluidsynth-dev_1.1.11-1+deb10u1_amd64.deb
7a40261edbe226e39a9915ca04c7934e3e60195cac78130adb878c43ab4fb29e 508596 libfluidsynth1-dbgsym_1.1.11-1+deb10u1_amd64.deb
31a01aaca1270db9faab319c47a2ed6f667666b501660a2a15fdafd653c89738 167192 libfluidsynth1_1.1.11-1+deb10u1_amd64.deb
Files:
56f7d93729f3d4bacd2035bc1b613673 2377 sound optional fluidsynth_1.1.11-1+deb10u1.dsc
1d84d844b2f76df2292f31e7263d00db 634566 sound optional fluidsynth_1.1.11.orig.tar.gz
2c616186ac85fdefdcc6fd8f0cd9b5d7 14596 sound optional fluidsynth_1.1.11-1+deb10u1.debian.tar.xz
200323fb285e0e7788c739e9a8d0e574 21324 debug optional fluidsynth-dbgsym_1.1.11-1+deb10u1_amd64.deb
78395b0be0cc3666ef56e5b9dc680305 9777 sound optional fluidsynth_1.1.11-1+deb10u1_amd64.buildinfo
3b40c0e560572ecd14793d22463f423b 50396 sound optional fluidsynth_1.1.11-1+deb10u1_amd64.deb
980867708023bb11b28122ff4588e50f 48912 libdevel optional libfluidsynth-dev_1.1.11-1+deb10u1_amd64.deb
263b28cd097bafc51fd393dc6f83c4cf 508596 debug optional libfluidsynth1-dbgsym_1.1.11-1+deb10u1_amd64.deb
7893f14af6e41ed2e22a3d445982cf08 167192 libs optional libfluidsynth1_1.1.11-1+deb10u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmCEVBEACgkQgj6WdgbD
S5ZlOxAAwZRqGjiqP6Swd1Tnk+8X8iEIx2oCRLl4+8xl5L4nqTgd3S0J4UPgSJsH
8jqS+z/sKk0sj0soemtc2WdlewoS53BZ08N0kQzQlNl96uxl+UoQ7mWgJvPHrBS2
bEy2elImvawODrWEDCu8IKDFODz6NYbIXINWi3TE+/YwJxAA+JfVAT9+9UYyXXXM
hxVfCpRCAzEpVKYarjnh7vI3tC//u7l25S2kvfm+BKZPscEgpDw/SpGutbn/rXV+
5EXIjgNXUlZMdZrwXmzLAPxhVYBzWsp81c5RobaaRzUIgrmar7tUm//evN26UXNA
0ikKifO5Vao/fomhOCuISSyQsOpQWPZU+qe+ritvYRGPx8w8jwyxYRxPvqOWkBIC
V9vo0FT60IfyDHWt3Lc7ctCjeXtaJ13HIa4HRKQNMspQDYyS1F4cJBDTFC8y8Ipy
MI77uDRU/WB5WzO71WbIYRdSZGxdL2+H17hmdIdfC9iwuqtfEWHFaOj15dDk5hPI
c2YTSkbO/Vsn1//oa3Nw+n0yEdarL1eoBAQ79U5tziljtyrFRpyi+KqoLmJzRC1a
WB68AXhl6NFCuspuK3gKv6HEM7nBf3ZWQJ9p5d0z8yF7I9oeDeAiPqHztSxK2GJJ
2/gcqgyt8zu6utsadDJAqu8sekC+pFw4R5yVWGhLXqxXi7OTBkE=
=MxkE
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: