Your message dated Mon, 01 Jun 2026 21:18:59 +0000
with message-id <[email protected]>
and subject line Bug#1138215: fixed in mpd 0.24.12-1
has caused the Debian Bug report #1138215,
regarding mpd: CVE-2026-49127 CVE-2026-49128 CVE-2026-49129 CVE-2026-49130
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138215: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138215
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: mpd
Version: 0.24.8-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for mpd.
CVE-2026-49127[0]:
| Music Player Daemon (MPD) before version 0.24.11 contains a stack
| buffer overflow vulnerability in the pcm_unpack_24be function in
| src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt
| stack memory by triggering an off-by-one write in the PCM decoder
| plugin. Attackers can issue two MPD commands referencing a malicious
| HTTP audio source to cause the unpack loop to write 1366 entries
| into a 1365-entry buffer, overwriting four bytes past the array
| boundary with three attacker-controlled bytes from an HTTP response
| body, resulting in daemon termination or potential code execution.
CVE-2026-49128[1]:
| Music Player Daemon (MPD) before version 0.24.11 contains a path
| traversal vulnerability in LocalStorage::MapFSOrThrow and
| LocalStorage::MapUTF8 within the local storage plugin, where the on-
| disk path is constructed by joining the storage root with a user-
| supplied URI as plain strings without canonicalization, allowing
| '..' segments to survive into the resolved path and be flattened by
| the kernel at openat() time. An unauthenticated attacker can exploit
| this flaw using the listfiles command to enumerate names, sizes, and
| modification times of arbitrary directories readable by the MPD
| process, and the albumart command to read image files in any
| attacker-chosen directory outside the configured music_directory.
CVE-2026-49129[2]:
| Music Player Daemon (MPD) before version 0.24.11 contains a server-
| side request forgery vulnerability in CurlInputPlugin where
| CURLOPT_FOLLOWLOCATION is set without CURLOPT_REDIR_PROTOCOLS_STR,
| allowing unauthenticated attackers to bypass the http/https scheme
| restriction by causing a malicious HTTP server to redirect to non-
| HTTP protocols such as gopher, ftp, sftp, ldap, dict, rtmp, or rtsp.
| Attackers can trigger this vulnerability via MPD commands that
| initiate URL fetches, including add, readcomments, albumart,
| readpicture, or load, to interact with internal or restricted
| network services on systems running libcurl versions prior to
| 7.85.0.
CVE-2026-49130[3]:
| Music Player Daemon (MPD) before version 0.24.11 contains a CRLF
| injection vulnerability in the xspf_char_data function within the
| XSPF playlist plugin that allows attackers to embed literal CR/LF
| bytes in URI fields by supplying a malicious XSPF playlist with XML
| numeric character references. Attackers can inject forged key-value
| lines through the location field into MPD protocol responses
| including playlistinfo, currentsong, and listplaylist outputs, as
| well as the state file writer, by exploiting Expat's decoding of
| numeric character references prior to the character data callback.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-49127
https://www.cve.org/CVERecord?id=CVE-2026-49127
[1] https://security-tracker.debian.org/tracker/CVE-2026-49128
https://www.cve.org/CVERecord?id=CVE-2026-49128
[2] https://security-tracker.debian.org/tracker/CVE-2026-49129
https://www.cve.org/CVERecord?id=CVE-2026-49129
[3] https://security-tracker.debian.org/tracker/CVE-2026-49130
https://www.cve.org/CVERecord?id=CVE-2026-49130
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: mpd
Source-Version: 0.24.12-1
Done: Florian Schlichting <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mpd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Florian Schlichting <[email protected]> (supplier of updated mpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 01 Jun 2026 22:42:36 +0200
Source: mpd
Architecture: source
Version: 0.24.12-1
Distribution: unstable
Urgency: medium
Maintainer: mpd maintainers <[email protected]>
Changed-By: Florian Schlichting <[email protected]>
Closes: 1138215
Changes:
mpd (0.24.12-1) unstable; urgency=medium
.
* New upstream version 0.24.12 (closes: #1138215)
+ fixes a stack buffer overflow vulnerability in the pcm_unpack_24be
function in src/pcm/Pack.cxx (CVE-2026-49127)
+ fixes a path traversal vulnerability in LocalStorage::MapFSOrThrow and
LocalStorage::MapUTF8 within the local storage plugin (CVE-2026-49128)
+ fixes a server-side request forgery vulnerability in CurlInputPlugin
(CVE-2026-49129)
+ fixes a CRLF injection vulnerability in the xspf_char_data function
within the XSPF playlist plugin (CVE-2026-49130)
* Add new files to d/copyright
* d/copyright: fix lintian warning about old FSF postal address
* Bump libcurl dependency to 7.85
* Declare compliance with Debian Policy 4.7.4
Checksums-Sha1:
a6fc0764d203483922e0a052ef10aff5f7906d97 3398 mpd_0.24.12-1.dsc
da342c8ed1ca0cc942aecacb1da5ed9b6bd790a6 1020148 mpd_0.24.12.orig.tar.xz
3b7b6d7f3405b6305e8f8192cf1171d4c6d344f2 833 mpd_0.24.12.orig.tar.xz.asc
306ed667e48e4ef30cd4713ff59f61de08318178 35836 mpd_0.24.12-1.debian.tar.xz
70a1082a3403b0b73e9d8c1fd8feaf28ef0e46ac 22115 mpd_0.24.12-1_amd64.buildinfo
Checksums-Sha256:
206c305bb32d801fb8e4087e596cf12b58ebf8ca6a478d02afedff64094648f9 3398
mpd_0.24.12-1.dsc
14223ca883c35fbf711994bcf745726cecc9d898e3d3964265cf3a2c7519a360 1020148
mpd_0.24.12.orig.tar.xz
554fdc41adba2a48406c7dbc449f2191ed851d5a082e80d42beef8860c492463 833
mpd_0.24.12.orig.tar.xz.asc
10f858970c37a11b44fe34ca34b841e4cf584b579fd647878ca5be34c3d7e804 35836
mpd_0.24.12-1.debian.tar.xz
807555946f6d81f0cd58e721d21bdfbd60d733759e0fc26f2281d2c0f9f47624 22115
mpd_0.24.12-1_amd64.buildinfo
Files:
35d7fcb66978f708bc49bfea475d6d13 3398 sound optional mpd_0.24.12-1.dsc
6c4a848e97661562fce3e20c72e6c678 1020148 sound optional mpd_0.24.12.orig.tar.xz
4c20414e8534a1d9071b19acf40d24a2 833 sound optional mpd_0.24.12.orig.tar.xz.asc
184877fd0d4ebff71445f7bbebed1dc7 35836 sound optional
mpd_0.24.12-1.debian.tar.xz
26207999649769afc77bfdcf3de28a11 22115 sound optional
mpd_0.24.12-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEMLI8i05qOwnqprZSEpc7bnLcB7UFAmod8hIACgkQEpc7bnLc
B7VE8w/7B+ig4rzATZ5vlMRtT5sVsd8w43NlBu+R00naAiKrBUdtqIuahd/0UzkP
S7nrpSo09aZhhhp+b3FcacTaHAG/kQrrBjzGrXvbV8NWLWGuJAVaCcoT7obebP/w
GMIahxJC8hfehjzmfx8X9Xd5nHCJxkvfBr9Bh9d1xAwMPUloYbttO1JqMuqEK+5c
Td7dsOxteVAlxyaEuZPASEVktrnyMPypzmABdp8Zyf75gxmMj88hOkotcGcKO0+2
VV5Oiy/c5L2/lMQG7dlzZuQAHbHvJqPRkSVYwf8CPtYCfob4HBpYb45bO+DOHfG2
IoVz6H+VhuwroWq9wNcXW4wdLfcCzyVKVmtM7+lA/9QE5PHw5EyNj1biWw+QC6q7
n7Jn9xOzmNSKHU0/LqZkQotxdJBVTLOJfXKXluIc4CDGD1KPwI9n4hQMAKZDhZC6
Tdtx4eRzekdr8ZRlBJ7BRIskhCYkESQaC/zpiuhJdrFnqotvNg7g4Veowwdi0Jms
5Z4e8nqB+KeGBmMX3F64IvHWRPEkGoxt/KV+hKLB5pyyOQgaJg9QzTfaJheJL0Zv
CeZVUiCiBHGY17oD8yBdhBzt6CIamT190cd1ncNRTM2GE3Q5QTG2KgUuiY65kVGO
n/f64M19MJQOYU+ZA9UVPoHEVP/fV0aQ+nDxFlXSDooAJ7jP2Hg=
=GuZd
-----END PGP SIGNATURE-----
pgp79ndynqWmQ.pgp
Description: PGP signature
--- End Message ---
