Bug#987168: marked as done (fluidsynth: CVE-2021-28421)
Your message dated Sat, 24 Apr 2021 13:18:26 +0000
with message-id <E1laIB0-0009nF-Bv@fasolo.debian.org>
and subject line Bug#987168: fixed in fluidsynth 2.1.7-1.1
has caused the Debian Bug report #987168,
regarding fluidsynth: CVE-2021-28421
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
987168: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987168
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Source: fluidsynth
Version: 2.1.7-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/FluidSynth/fluidsynth/issues/808
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for fluidsynth, filling it
as grave to be on safe side because of the use after free aspect. Let
me know if you disagree and we can downgrade. Still ideally it is
fixed for bullseye. It was othrwise marked no-dsa for buster, deemed
enought to be fixed via a point release.
CVE-2021-28421[0]:
| FluidSynth 2.1.7 contains a use after free vulnerability in
| sfloader/fluid_sffile.c that can result in arbitrary code execution or
| a denial of service (DoS) if a malicious soundfont2 file is loaded
| into a fluidsynth library.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-28421
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28421
[1] https://github.com/FluidSynth/fluidsynth/issues/808
[2] https://github.com/FluidSynth/fluidsynth/pull/810
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: fluidsynth
Source-Version: 2.1.7-1.1
Done: Reiner Herrmann <reiner@reiner-h.de>
We believe that the bug you reported is fixed in the latest version of
fluidsynth, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 987168@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reiner Herrmann <reiner@reiner-h.de> (supplier of updated fluidsynth package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 24 Apr 2021 13:37:51 +0200
Source: fluidsynth
Architecture: source
Version: 2.1.7-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Reiner Herrmann <reiner@reiner-h.de>
Closes: 987168
Changes:
fluidsynth (2.1.7-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Import patch that fixes use-after-free vulnerability. (CVE-2021-28421)
(Closes: #987168)
Checksums-Sha1:
d31bb49ee05444ef35da0cc42cf7b7672fae2a5d 2489 fluidsynth_2.1.7-1.1.dsc
4e4eeac450f6ab54eb6d0cbe82410a0c85dec161 19684 fluidsynth_2.1.7-1.1.debian.tar.xz
43a2551d323171fb5b27201cac1a1154459de9e4 12756 fluidsynth_2.1.7-1.1_amd64.buildinfo
Checksums-Sha256:
037f2569926c28ccfa7eccdfd153f95e1551b68d6dcea88262ab84eff741dabd 2489 fluidsynth_2.1.7-1.1.dsc
89e1c1c4533674d9e83a66ef4c75a61a298519c1be32aaf647924e5e0af86eee 19684 fluidsynth_2.1.7-1.1.debian.tar.xz
2a6af3b9256b1e9a610c17cd2e3c28a057236b3f0f925998c9c22726855c9df9 12756 fluidsynth_2.1.7-1.1_amd64.buildinfo
Files:
06b3ceca66d7d6de652498ae5263ec6b 2489 sound optional fluidsynth_2.1.7-1.1.dsc
acf1c02cafb87e71f6775425e76bba33 19684 sound optional fluidsynth_2.1.7-1.1.debian.tar.xz
7187352660a48b6dbb68460572f29c25 12756 sound optional fluidsynth_2.1.7-1.1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmCEDa0ACgkQgj6WdgbD
S5ar1g//Wj4qNqufKBJsDvxqldFlal0L532ZW3DybgVYzw9LBfcfaihtbVhE6+wW
cGBx1EJd5vhtv2CG/Qt4FtIr5rH7Nk5vkXwJO4ly2Ivb2y6xwIYEkPkIgZ12Jez3
XlGfjSi9QRFXWs+mFnYE+KArTHZhIAh9yp4FI8X8ac4JTkDI7N4JQ3C5vV1hBCJ5
wvGcV31GJb6VhPA9fqSaWXYN5MiFFJbI9WInTL587ipZNQgmKAcVBG5+aADopnNN
qke2UpiQQSdCtn+j+P6/cqXN5VBAcf82JKbCMuOrxOBTJQ29kslInFtnaZFBh50I
rmarHii7PVPDkXqeqxPUuKBO63v4DG8mhgAnvCjlVEJ2wDfnufWJhmsKivtrS0vu
owYI/BK95RItOV+4UKlAeIKSGrFNE8w8kDjMoGBI0yKq/vnSoLODhRGTmlc7wJgx
NatpPBh2kLlM7v0130YxpS87eh7I/86EjNnJv91931uEGC7e8NZQurQDRl/IOUwo
c40K0uAhlu1BssA7BsA2EZYadcK48yZBXwI+GTZqjnCXL8CQB8a+oDtEX3XOyygV
9n+iu/D9not68YzzABcSv2UCIozoJw3kwKVhOBvgqaaFcrrbSMgido91WigkQTl4
y1VTgDK2eo3M/b9veVSYh3P/HdJ/5EBwQ12VaKWphFW5i7poTU0=
=PuQ4
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: