Bug#1136029: marked as done (miniaudio: CVE-2026-32837)

Debian Bug Tracking System Sun, 10 May 2026 03:23:17 -0700

Your message dated Sun, 10 May 2026 10:21:16 +0000
with message-id <[email protected]>
and subject line Bug#1136029: fixed in miniaudio 0.11.25+dfsg-1
has caused the Debian Bug report #1136029,
regarding miniaudio: CVE-2026-32837
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1136029: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136029
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: miniaudio
X-Debbugs-CC: [email protected]
Severity: important
Tags: security

Hi,

The following vulnerability was published for miniaudio.

CVE-2026-32837[0]:
| miniaudio version 0.11.25 and earlier (fixed in commits 1df46ae and
| 1df46ae) contain a heap out-of-bounds read vulnerability in the WAV
| BEXT metadata parser that allows attackers to trigger memory access
| violations by processing crafted WAV files. Attackers can exploit
| improper null-termination handling in the coding history field to
| cause out-of-bounds reads past the allocated metadata pool,
| resulting in application crashes or denial of service.

https://github.com/mackron/miniaudio/issues/1101


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-32837
    https://www.cve.org/CVERecord?id=CVE-2026-32837

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

Source: miniaudio
Source-Version: 0.11.25+dfsg-1
Done: Matthias Geiger <[email protected]>

We believe that the bug you reported is fixed in the latest version of
miniaudio, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Geiger <[email protected]> (supplier of updated miniaudio package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 10 May 2026 11:52:25 +0200
Source: miniaudio
Architecture: source
Version: 0.11.25+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Matthias Geiger <[email protected]>
Changed-By: Matthias Geiger <[email protected]>
Closes: 1136029
Changes:
 miniaudio (0.11.25+dfsg-1) unstable; urgency=medium
 .
   * New upstream release
   * Cherry-pick upstream patch fixing out-of-bounds-read
        (Closes: #1136029) (CVE-2026-32837)
   * d/control: Bump Standards-Version to 4.7.4; drop priority: optional
Checksums-Sha1:
 9695029ace804edaa58e08442878f7722cef344b 1304 miniaudio_0.11.25+dfsg-1.dsc
 cd0cfb2f0e9fb19d9308dcf7f35c975146dddaa6 4372215 
miniaudio_0.11.25+dfsg.orig.tar.gz
 5eed56a7315ad14946e29d9a71d5c6b5272fb7ba 7676 
miniaudio_0.11.25+dfsg-1.debian.tar.xz
 a28408041d13eb599366a5a09b0b4f375b625cce 5061 
miniaudio_0.11.25+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 7230efac960791daf9d2b7189e7cfdae19dc45e123f64b00186f1fd11b384882 1304 
miniaudio_0.11.25+dfsg-1.dsc
 3a978de060fb124623ec778399dbf29e83748fd2f2412c254dbef27be2f924f2 4372215 
miniaudio_0.11.25+dfsg.orig.tar.gz
 93755b9fc01caffacc67c63af4a0cd8a2b33f41a4487443f55e1bee9ea01cfdc 7676 
miniaudio_0.11.25+dfsg-1.debian.tar.xz
 7dc8bacadb4f4ae69c752982a4d3ad63b0876e9e366ae865fa702305a1b14902 5061 
miniaudio_0.11.25+dfsg-1_amd64.buildinfo
Files:
 267300adfea61072010de2a51bae4379 1304 libdevel optional 
miniaudio_0.11.25+dfsg-1.dsc
 47e8087d403dc2780f9900a032e1aae4 4372215 libdevel optional 
miniaudio_0.11.25+dfsg.orig.tar.gz
 8311724e1c40761a497fab0ead893ac0 7676 libdevel optional 
miniaudio_0.11.25+dfsg-1.debian.tar.xz
 6dd4471a8d850aad5a6a29dd8af3aaea 5061 libdevel optional 
miniaudio_0.11.25+dfsg-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQQUWTv/Sl6/b+DpcW7svtu2B7myvgUCagBWDwAKCRDsvtu2B7my
vtDDAP0bu8M18DzQsfMqHQoWKBJNGbtPs8i35Tkmc9vlUMAa7AEAhDVdJdMmRSC0
bqo33PE9w5q6vR6TeO+CyphLT8Dl4gQ=
=LXAW
-----END PGP SIGNATURE-----

pgpKAz72n875B.pgp
Description: PGP signature

--- End Message ---

Bug#1136029: marked as done (miniaudio: CVE-2026-32837)

Reply via email to