[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#987168: fluidsynth: CVE-2021-28421

Source: fluidsynth
Version: 2.1.7-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/FluidSynth/fluidsynth/issues/808
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for fluidsynth, filling it
as grave to be on safe side because of the use after free aspect. Let
me know if you disagree and we can downgrade. Still ideally it is
fixed for bullseye. It was othrwise marked no-dsa for buster, deemed
enought to be fixed via a point release.

CVE-2021-28421[0]:
| FluidSynth 2.1.7 contains a use after free vulnerability in
| sfloader/fluid_sffile.c that can result in arbitrary code execution or
| a denial of service (DoS) if a malicious soundfont2 file is loaded
| into a fluidsynth library.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-28421
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28421
[1] https://github.com/FluidSynth/fluidsynth/issues/808
[2] https://github.com/FluidSynth/fluidsynth/pull/810

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
Reply to: