[SECURITY] [DLA DLA-4287-1] libsndfile security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA DLA-4287-1] libsndfile security update
From: Paride Legovini <paride@debian.org>
Date: Mon, 01 Sep 2025 18:49:56 +0200
Message-id: <[🔎] 6b7fa0a834043bf0ce6a413b5930f89d@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4287-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Paride Legovini
August 31, 2025                               https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : libsndfile
Version        : 1.0.31-2+deb11u1
CVE ID         : CVE-2022-33065 CVE-2024-50612


Two vulnerabilities have been fixed in the audio data read/write library
libsndfile.

CVE-2022-33065

    Multiple signed integers overflow in function au_read_header in src/au.c
    and in functions mat4_open and mat4_read_header in src/mat4.c in
    Libsndfile, allows an attacker to cause Denial of Service or other
    unspecified impacts.

CVE-2024-50612

    Out-of-bounds read in ogg_vorbis.c vorbis_analysis_wrote() can cause
    memory corruption when parsing a specially crafted input file. This
    vulnerability leads to Denial of Service (DoS).

For Debian 11 bullseye, these problems have been fixed in version
1.0.31-2+deb11u1.

We recommend that you upgrade your libsndfile packages.

For the detailed security status of libsndfile please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libsndfile

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

wsC7BAEBCgBvBYJotc6wCRDWWGGIPgFNuUcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcme84i145ILcj26hYyb98tlcXpLYkQICM5NgIppwwIoY
DRYhBFYa1YXu12aSG6jdltZYYYg+AU25AACDSAf+MMn6Qx+fZwomewoIO0MsIlGp
iNxwZaREhmwXRILKQJK+DmUDmtbORE7HYvAr4lZYN9aQi3Etfr/wrSC8WVMPLSOc
zBz9jikWTxeLXAZuQ8EaYoM6ursML2POopl++gPuikz63p1cRv6N2ftr3+678Ho8
Bgtkl62Y+sG3fMY7VhJSdYV3JuAdYFI3A9xg0PcT/FUV2jJWyLEuEXgw6D+C2Ru0
9SAaZIJkOPwaTKVwN+X9aNq16x1vb5/DYwAdf/LmZRb5e1c7V062Ze5th+ggEIOA
zIR2Vck4XmBLaGjB2HcTmCnFfZGDRh51toXDqak8oWO2l3aou7Nt1CbnmQQObQ==
=Rf9I
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4288-1] ruby-saml security update
Next by Date: [SECURITY] [DLA 4289-1] python-eventlet security update
Previous by thread: [SECURITY] [DLA 4288-1] ruby-saml security update
Next by thread: [SECURITY] [DLA 4289-1] python-eventlet security update
Index(es):
- Date
- Thread