Your message dated Sun, 09 Mar 2025 12:49:47 +0000
with message-id <[email protected]>
and subject line Bug#1099609: fixed in miniaudio 0.11.22+dfsg-1
has caused the Debian Bug report #1099609,
regarding miniaudio: CVE-2024-41147
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1099609: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099609
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: miniaudio
Version: 0.11.21+dfsg-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for miniaudio.
CVE-2024-41147[0]:
| An out-of-bounds write vulnerability exists in the
| ma_dr_flac__decode_samples__lpc functionality of Miniaudio miniaudio
| v0.11.21. A specially crafted .flac file can lead to memory
| corruption. An attacker can provide a malicious file to trigger this
| vulnerability.
I suspect this is fixed in upstream 0.11.22, but have not isolated the
respective commit.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-41147
https://www.cve.org/CVERecord?id=CVE-2024-41147
[1] https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2063
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: miniaudio
Source-Version: 0.11.22+dfsg-1
Done: Matthias Geiger <[email protected]>
We believe that the bug you reported is fixed in the latest version of
miniaudio, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Geiger <[email protected]> (supplier of updated miniaudio package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 09 Mar 2025 13:29:24 +0100
Source: miniaudio
Architecture: source
Version: 0.11.22+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Matthias Geiger <[email protected]>
Changed-By: Matthias Geiger <[email protected]>
Closes: 1099609
Changes:
miniaudio (0.11.22+dfsg-1) unstable; urgency=high
.
* New upstream release (Closes: #1099609)
- Includes upstream commit ee506b1, fixing CVE-2024-41147
* Bump S-V to 4.7.1; no changes needed
* d/rules: Override cmake build for now
* d/control: Update my mail address
Checksums-Sha1:
e42b3f00a01042d2d5fe8ee9c16db4f1349bf3e2 1333 miniaudio_0.11.22+dfsg-1.dsc
975503cba99d2261fd2e010ff76f11aa0da0081d 4486138
miniaudio_0.11.22+dfsg.orig.tar.gz
721bd5bfe56a87baf54c94afd63930ce4fe987aa 3092
miniaudio_0.11.22+dfsg-1.debian.tar.xz
430805a84f15d97d6e52fa25a31bb603e62902fe 4867
miniaudio_0.11.22+dfsg-1_amd64.buildinfo
Checksums-Sha256:
a9b240e8a87d033481799aa026ce91492df37f5b1a51a39ef324905b6264f774 1333
miniaudio_0.11.22+dfsg-1.dsc
c16866ce5071744f60874f9b0e0c2dbee2dfea96ac2c43a06a02cd1df23a019c 4486138
miniaudio_0.11.22+dfsg.orig.tar.gz
c043be7679ff4f07361e31f9f75fbdd7529dad8fc2306a634a117acb0e0525af 3092
miniaudio_0.11.22+dfsg-1.debian.tar.xz
9d547b8b99ee94e13299a7dcaf0a3c9f620eafcaa1aeb37568ee0c96f84c51d9 4867
miniaudio_0.11.22+dfsg-1_amd64.buildinfo
Files:
133aa70ad88fd873b1156baeb220cde6 1333 libdevel optional
miniaudio_0.11.22+dfsg-1.dsc
b8d8b16e902f662ab9e2b5dd309188a5 4486138 libdevel optional
miniaudio_0.11.22+dfsg.orig.tar.gz
b6c3680078347175c226b8df67f62f4f 3092 libdevel optional
miniaudio_0.11.22+dfsg-1.debian.tar.xz
c3ae13b2c5a1f5f9e7533b4a9fd023dc 4867 libdevel optional
miniaudio_0.11.22+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iIsEARYKADMWIQQUWTv/Sl6/b+DpcW7svtu2B7myvgUCZ82LKRUcd2VyZGFoaWFz
QGRlYmlhbi5vcmcACgkQ7L7btge5sr4llwD/SjlK8fKY90/6DsmJn/Lsk9xbWhiD
P+Ix43x/jU2qqPMA/3uWg6mQxNJIPeVKULk9A7i7txYzOjR92v3HrLiDd0UH
=4Ypr
-----END PGP SIGNATURE-----
pgpmrP2MxCryD.pgp
Description: PGP signature
--- End Message ---
