Source: musescore3 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for musescore3. CVE-2023-44428[0]: | MuseScore CAP File Parsing Heap-based Buffer Overflow Remote Code | Execution Vulnerability. This vulnerability allows remote attackers | to execute arbitrary code on affected installations of MuseScore. | User interaction is required to exploit this vulnerability in that | the target must visit a malicious page or open a malicious file. | The specific flaw exists within the parsing of CAP files. The issue | results from the lack of proper validation of the length of user- | supplied data prior to copying it to a heap-based buffer. An | attacker can leverage this vulnerability to execute code in the | context of the current process. Was ZDI-CAN-20769. Unfortunatetly details are sparse, the only reference is https://www.zerodayinitiative.com/advisories/ZDI-23-1526/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-44428 https://www.cve.org/CVERecord?id=CVE-2023-44428 Please adjust the affected versions in the BTS as needed.
