Your message dated Sat, 24 Apr 2021 19:05:02 +0200
with message-id <127a44c8-9176-a2ce-dcf8-4669aee12...@debian.org>
and subject line Re: Bug#987471: unblock: fluidsynth/2.1.7-1.1
has caused the Debian Bug report #987471,
regarding unblock: fluidsynth/2.1.7-1.1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
987471: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987471
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: utka...@debian.org, debian-multime...@lists.debian.org
Please unblock package fluidsynth
I intend to NMU version 2.1.7-1.1 to DELAYED/3, which imports
an upstream security fix.
[ Reason ]
The package has a use-after-free vulnerability.
[ Impact ]
Arbitrary code execute or denial of service.
[ Tests ]
I tested that it compiles, installs and tested running it
against the vulnerable example file from the upstream bug
tracker. With the patch applied, it no longer crashes.
unblock fluidsynth/2.1.7-1.1
diff -Nru fluidsynth-2.1.7/debian/changelog fluidsynth-2.1.7/debian/changelog
--- fluidsynth-2.1.7/debian/changelog 2021-02-09 21:43:23.000000000 +0100
+++ fluidsynth-2.1.7/debian/changelog 2021-04-24 13:37:51.000000000 +0200
@@ -1,3 +1,11 @@
+fluidsynth (2.1.7-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Import patch that fixes use-after-free vulnerability. (CVE-2021-28421)
+ (Closes: #987168)
+
+ -- Reiner Herrmann <rei...@reiner-h.de> Sat, 24 Apr 2021 13:37:51 +0200
+
fluidsynth (2.1.7-1) unstable; urgency=medium
* New upstream version 2.1.7
diff -Nru fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch
--- fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch 1970-01-01 01:00:00.000000000 +0100
+++ fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch 2021-04-24 13:35:20.000000000 +0200
@@ -0,0 +1,84 @@
+From 005719628aef0bd48dc7b2f860c7e4ca16b81044 Mon Sep 17 00:00:00 2001
+From: Tom M <tom.m...@googlemail.com>
+Date: Mon, 15 Mar 2021 20:12:51 +0100
+Subject: [PATCH] Invalid generators were not removed from zone list (#810)
+Bug: https://github.com/FluidSynth/fluidsynth/issues/808
+Bug-Debian: https://bugs.debian.org/987168
+
+fluid_list_remove() should receive the beginning of a list, so it can adjust the predecessor of the element to be removed. Otherwise the element would remain in the list, which in this case led to a use-after-free afterwards.
+---
+ src/sfloader/fluid_sffile.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/src/sfloader/fluid_sffile.c b/src/sfloader/fluid_sffile.c
+index 001a0a0a4..47ab98d97 100644
+--- a/src/sfloader/fluid_sffile.c
++++ b/src/sfloader/fluid_sffile.c
+@@ -1355,7 +1355,7 @@ static int load_pmod(SFData *sf, int size)
+ * ------------------------------------------------------------------- */
+ static int load_pgen(SFData *sf, int size)
+ {
+- fluid_list_t *p, *p2, *p3, *dup, **hz = NULL;
++ fluid_list_t *p, *p2, *p3, *dup, **hz = NULL, *start_of_zone_list;
+ SFZone *z;
+ SFGen *g;
+ SFGenAmount genval;
+@@ -1369,7 +1369,7 @@ static int load_pgen(SFData *sf, int size)
+ /* traverse through all presets */
+ gzone = FALSE;
+ discarded = FALSE;
+- p2 = ((SFPreset *)(p->data))->zone;
++ start_of_zone_list = p2 = ((SFPreset *)(p->data))->zone;
+
+ if(p2)
+ {
+@@ -1516,11 +1516,13 @@ static int load_pgen(SFData *sf, int size)
+ }
+ else
+ {
++ p2 = fluid_list_next(p2); /* advance to next zone before deleting the current list element */
+ /* previous global zone exists, discard */
+ FLUID_LOG(FLUID_WARN, "Preset '%s': Discarding invalid global zone",
+ ((SFPreset *)(p->data))->name);
+- *hz = fluid_list_remove(*hz, p2->data);
+- delete_zone((SFZone *)fluid_list_get(p2));
++ fluid_list_remove(start_of_zone_list, z);
++ delete_zone(z);
++ continue;
+ }
+ }
+
+@@ -1864,7 +1866,7 @@ static int load_imod(SFData *sf, int size)
+ /* load instrument generators (see load_pgen for loading rules) */
+ static int load_igen(SFData *sf, int size)
+ {
+- fluid_list_t *p, *p2, *p3, *dup, **hz = NULL;
++ fluid_list_t *p, *p2, *p3, *dup, **hz = NULL, *start_of_zone_list;
+ SFZone *z;
+ SFGen *g;
+ SFGenAmount genval;
+@@ -1878,7 +1880,7 @@ static int load_igen(SFData *sf, int size)
+ /* traverse through all instruments */
+ gzone = FALSE;
+ discarded = FALSE;
+- p2 = ((SFInst *)(p->data))->zone;
++ start_of_zone_list = p2 = ((SFInst *)(p->data))->zone;
+
+ if(p2)
+ {
+@@ -2024,11 +2026,13 @@ static int load_igen(SFData *sf, int size)
+ }
+ else
+ {
++ p2 = fluid_list_next(p2); /* advance to next zone before deleting the current list element */
+ /* previous global zone exists, discard */
+ FLUID_LOG(FLUID_WARN, "Instrument '%s': Discarding invalid global zone",
+ ((SFInst *)(p->data))->name);
+- *hz = fluid_list_remove(*hz, p2->data);
+- delete_zone((SFZone *)fluid_list_get(p2));
++ fluid_list_remove(start_of_zone_list, z);
++ delete_zone(z);
++ continue;
+ }
+ }
+
diff -Nru fluidsynth-2.1.7/debian/patches/series fluidsynth-2.1.7/debian/patches/series
--- fluidsynth-2.1.7/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ fluidsynth-2.1.7/debian/patches/series 2021-04-24 13:35:27.000000000 +0200
@@ -0,0 +1 @@
+CVE-2021-28421.patch
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Hi,
On 24-04-2021 14:13, Reiner Herrmann wrote:
> Please unblock package fluidsynth
unblocked.
Paul
OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---
