[SECURITY] [DLA 4255-1] audiofile security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4255-1] audiofile security update
From: Thorsten Alteholz <debian@alteholz.de>
Date: Mon, 28 Jul 2025 09:03:59 +0000 (UTC)
Message-id: <[🔎] 40d6c532-43b6-5c99-f3a8-eda9602877b4@alteholz.de>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4255-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                    Thorsten Alteholz
July 28, 2025                                 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : audiofile
Version        : 0.3.6-5+deb11u1
CVE ID         : CVE-2019-13147 CVE-2022-24599


The audiofile library allows the processing of audio data to and
from audio files of many common formats (currently AIFF, AIFF-C,
WAVE, NeXT/Sun, BICS, and raw data).

CVE-2019-13147

    Audiofile was vulnerable due to an integer overflow.
    Bail out early if NeXT audio files include too many channels.

CVE-2022-24599

    A memory leak was found due to reading not null
    terminated copyright field. Preallocate zeroed memory and
    always NUL terminates C strings.


For Debian 11 bullseye, these problems have been fixed in version
0.3.6-5+deb11u1.

We recommend that you upgrade your audiofile packages.

For the detailed security status of audiofile please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/audiofile

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmiHPQBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEc10A//Qdur8368eb+2ajLY9zNbG5VEQ44ZRYGO4rI3XEBe8Q3zLK+Et7+TO7Ou
hRQcOPndcZs3eTmw6KfG6t1laguDw9PPx0nD3BL9FapL+kCVCG62gi3RdeGOltcc
ToKQTdWA2eHQL6j1/1Pmp0ep1kmSMt70QsU2/z0CRDMWEoTui7x0nxq3CicsbHOW
vR1OaCaQQuhIdCSySk8Wp54afizt6J4ov9UCHGFYjkW4x75b+C1iWKPAY8RGj836
k8JeACEyEufidFxwSulcCBaGdIxg5d2DJeo8s0R/hfLVHUsWSKKPXZGrK3O+Xc74
m4aRsNWrjqy+Ft9t9PM0ZRKQKsBTARyDDGiwE04ykIjMn/wUq8zlR2n/lnpaAyF1
iiIJAggjL9UqOdWtKEIcs4waZ+2lCG5LmOIEfrDKNRsQWw4LiYaoyXATM40rB5jk
vLmz49yf+s5H9INjdrXpL8x1pn9CpY9FyIlQ2cpCT62PcLeaz/0YyYuPBtaNVbtv
fug6vlwFNcdC8iMeUrz2/+xzy6EUKzrDIJZZsOaDgD/bGtm7HR+g7v92bXOZmF0w
zrqB7I8++pO5eC3DBQp+Vzi4cd+rNsMkr/Dpqem27ku/xaKrF9rui/0yphhN4YuZ
fvJ3XVaPCl92g985qfDsBxfITsRCft/VASc1V7kSGOU4ty22vo8=
=Fbno
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4257-1] libcaca security update
Next by Date: [SECURITY] [DLA 4258-1] libfastjson security update
Previous by thread: [SECURITY] [DLA 4257-1] libcaca security update
Next by thread: [SECURITY] [DLA 4258-1] libfastjson security update
Index(es):
- Date
- Thread