Source: fluidsynth Version: 2.1.7-1 Severity: grave Tags: security upstream Forwarded: https://github.com/FluidSynth/fluidsynth/issues/808 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for fluidsynth, filling it as grave to be on safe side because of the use after free aspect. Let me know if you disagree and we can downgrade. Still ideally it is fixed for bullseye. It was othrwise marked no-dsa for buster, deemed enought to be fixed via a point release. CVE-2021-28421[0]: | FluidSynth 2.1.7 contains a use after free vulnerability in | sfloader/fluid_sffile.c that can result in arbitrary code execution or | a denial of service (DoS) if a malicious soundfont2 file is loaded | into a fluidsynth library. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-28421 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28421 [1] https://github.com/FluidSynth/fluidsynth/issues/808 [2] https://github.com/FluidSynth/fluidsynth/pull/810 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
