On 2021-04-24 14:20:43 +0200, Reiner Herrmann wrote: > Control: tags 987168 + patch > Control: tags 987168 + pending > > Dear maintainer, > > I've prepared an NMU for fluidsynth (versioned as 2.1.7-1.1) and > uploaded it to DELAYED/3. Please feel free to tell me if I > should delay it longer.
Please feel free to reschedule to DELAYED/0. Cheers > > Regards, > Reiner > diff -Nru fluidsynth-2.1.7/debian/changelog fluidsynth-2.1.7/debian/changelog > --- fluidsynth-2.1.7/debian/changelog 2021-02-09 21:43:23.000000000 +0100 > +++ fluidsynth-2.1.7/debian/changelog 2021-04-24 13:37:51.000000000 +0200 > @@ -1,3 +1,11 @@ > +fluidsynth (2.1.7-1.1) unstable; urgency=medium > + > + * Non-maintainer upload. > + * Import patch that fixes use-after-free vulnerability. (CVE-2021-28421) > + (Closes: #987168) > + > + -- Reiner Herrmann <rei...@reiner-h.de> Sat, 24 Apr 2021 13:37:51 +0200 > + > fluidsynth (2.1.7-1) unstable; urgency=medium > > * New upstream version 2.1.7 > diff -Nru fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch > fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch > --- fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch 1970-01-01 > 01:00:00.000000000 +0100 > +++ fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch 2021-04-24 > 13:35:20.000000000 +0200 > @@ -0,0 +1,84 @@ > +From 005719628aef0bd48dc7b2f860c7e4ca16b81044 Mon Sep 17 00:00:00 2001 > +From: Tom M <tom.m...@googlemail.com> > +Date: Mon, 15 Mar 2021 20:12:51 +0100 > +Subject: [PATCH] Invalid generators were not removed from zone list (#810) > +Bug: https://github.com/FluidSynth/fluidsynth/issues/808 > +Bug-Debian: https://bugs.debian.org/987168 > + > +fluid_list_remove() should receive the beginning of a list, so it can adjust > the predecessor of the element to be removed. Otherwise the element would > remain in the list, which in this case led to a use-after-free afterwards. > +--- > + src/sfloader/fluid_sffile.c | 20 ++++++++++++-------- > + 1 file changed, 12 insertions(+), 8 deletions(-) > + > +diff --git a/src/sfloader/fluid_sffile.c b/src/sfloader/fluid_sffile.c > +index 001a0a0a4..47ab98d97 100644 > +--- a/src/sfloader/fluid_sffile.c > ++++ b/src/sfloader/fluid_sffile.c > +@@ -1355,7 +1355,7 @@ static int load_pmod(SFData *sf, int size) > + * ------------------------------------------------------------------- */ > + static int load_pgen(SFData *sf, int size) > + { > +- fluid_list_t *p, *p2, *p3, *dup, **hz = NULL; > ++ fluid_list_t *p, *p2, *p3, *dup, **hz = NULL, *start_of_zone_list; > + SFZone *z; > + SFGen *g; > + SFGenAmount genval; > +@@ -1369,7 +1369,7 @@ static int load_pgen(SFData *sf, int size) > + /* traverse through all presets */ > + gzone = FALSE; > + discarded = FALSE; > +- p2 = ((SFPreset *)(p->data))->zone; > ++ start_of_zone_list = p2 = ((SFPreset *)(p->data))->zone; > + > + if(p2) > + { > +@@ -1516,11 +1516,13 @@ static int load_pgen(SFData *sf, int size) > + } > + else > + { > ++ p2 = fluid_list_next(p2); /* advance to next zone > before deleting the current list element */ > + /* previous global zone exists, discard */ > + FLUID_LOG(FLUID_WARN, "Preset '%s': Discarding invalid > global zone", > + ((SFPreset *)(p->data))->name); > +- *hz = fluid_list_remove(*hz, p2->data); > +- delete_zone((SFZone *)fluid_list_get(p2)); > ++ fluid_list_remove(start_of_zone_list, z); > ++ delete_zone(z); > ++ continue; > + } > + } > + > +@@ -1864,7 +1866,7 @@ static int load_imod(SFData *sf, int size) > + /* load instrument generators (see load_pgen for loading rules) */ > + static int load_igen(SFData *sf, int size) > + { > +- fluid_list_t *p, *p2, *p3, *dup, **hz = NULL; > ++ fluid_list_t *p, *p2, *p3, *dup, **hz = NULL, *start_of_zone_list; > + SFZone *z; > + SFGen *g; > + SFGenAmount genval; > +@@ -1878,7 +1880,7 @@ static int load_igen(SFData *sf, int size) > + /* traverse through all instruments */ > + gzone = FALSE; > + discarded = FALSE; > +- p2 = ((SFInst *)(p->data))->zone; > ++ start_of_zone_list = p2 = ((SFInst *)(p->data))->zone; > + > + if(p2) > + { > +@@ -2024,11 +2026,13 @@ static int load_igen(SFData *sf, int size) > + } > + else > + { > ++ p2 = fluid_list_next(p2); /* advance to next zone > before deleting the current list element */ > + /* previous global zone exists, discard */ > + FLUID_LOG(FLUID_WARN, "Instrument '%s': Discarding > invalid global zone", > + ((SFInst *)(p->data))->name); > +- *hz = fluid_list_remove(*hz, p2->data); > +- delete_zone((SFZone *)fluid_list_get(p2)); > ++ fluid_list_remove(start_of_zone_list, z); > ++ delete_zone(z); > ++ continue; > + } > + } > + > diff -Nru fluidsynth-2.1.7/debian/patches/series > fluidsynth-2.1.7/debian/patches/series > --- fluidsynth-2.1.7/debian/patches/series 1970-01-01 01:00:00.000000000 > +0100 > +++ fluidsynth-2.1.7/debian/patches/series 2021-04-24 13:35:27.000000000 > +0200 > @@ -0,0 +1 @@ > +CVE-2021-28421.patch -- Sebastian Ramacher
signature.asc
Description: PGP signature
