Bug#991496: libsndfile: CVE-2021-3246

To: submit@bugs.debian.org
Subject: Bug#991496: libsndfile: CVE-2021-3246
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Sun, 25 Jul 2021 21:13:24 +0200
Message-id: <[🔎] YP231JnUqeyKetVq@pisco.westfalen.local>
Reply-to: Moritz Mühlenhoff <jmm@inutil.org>, 991496@bugs.debian.org

Source: libsndfile
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for libsndfile.

CVE-2021-3246[0]:
| A heap buffer overflow vulnerability in msadpcm_decode_block of
| libsndfile 1.0.30 allows attackers to execute arbitrary code via a
| crafted WAV file.

https://github.com/libsndfile/libsndfile/issues/687

Patch is here:
https://github.com/libsndfile/libsndfile/commit/deb669ee8be55a94565f6f8a6b60890c2e7c6f32


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-3246
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3246

Please adjust the affected versions in the BTS as needed.

Reply to:

Follow-Ups:
- Bug#991496: libsndfile: CVE-2021-3246
  - From: Erik de Castro Lopo <erikd@mega-nerd.com>
- Bug#991496: marked as done (libsndfile: CVE-2021-3246)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#991496: marked as done (libsndfile: CVE-2021-3246)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: libbluray_1.3.0-2_source.changes ACCEPTED into experimental
Next by Date: Bug#991496: libsndfile: CVE-2021-3246
Previous by thread: libbluray_1.3.0-2_source.changes ACCEPTED into experimental
Next by thread: Bug#991496: libsndfile: CVE-2021-3246
Index(es):
- Date
- Thread