Your message dated Sat, 14 Mar 2026 11:48:35 +0000
with message-id <[email protected]>
and subject line Released with 13.4
has caused the Debian Bug report #1129962,
regarding trixie-pu: package libsndfile/1.2.2-2+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1129962: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129962
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:libsndfile
User: [email protected]
Usertags: pu
Low severity security issue in libsndfile, all tests in debusine
passed fine. Debdiff below.
Cheers,
Moritz
diff -Nru libsndfile-1.2.2/debian/changelog libsndfile-1.2.2/debian/changelog
--- libsndfile-1.2.2/debian/changelog 2024-12-14 13:50:37.000000000 +0100
+++ libsndfile-1.2.2/debian/changelog 2026-03-04 20:48:11.000000000 +0100
@@ -1,3 +1,9 @@
+libsndfile (1.2.2-2+deb13u1) trixie; urgency=medium
+
+ * CVE-2025-56226 (Closes: #1125674)
+
+ -- Moritz Mühlenhoff <[email protected]> Wed, 04 Mar 2026 20:48:11 +0100
+
libsndfile (1.2.2-2) unstable; urgency=high
[ Fabian Toepfer ]
diff -Nru libsndfile-1.2.2/debian/patches/CVE-2025-56226.patch
libsndfile-1.2.2/debian/patches/CVE-2025-56226.patch
--- libsndfile-1.2.2/debian/patches/CVE-2025-56226.patch 1970-01-01
01:00:00.000000000 +0100
+++ libsndfile-1.2.2/debian/patches/CVE-2025-56226.patch 2026-03-04
20:48:08.000000000 +0100
@@ -0,0 +1,25 @@
+From d9a35ea0d5c64c19dd635ae578e0028df8f66d6a Mon Sep 17 00:00:00 2001
+From: Sisyphus-wang <[email protected]>
+Date: Fri, 11 Jul 2025 15:14:48 +0800
+Subject: [PATCH] Update mpeg_l3_encode.c
+
+--- libsndfile-1.2.2.orig/src/mpeg_l3_encode.c
++++ libsndfile-1.2.2/src/mpeg_l3_encode.c
+@@ -87,7 +87,8 @@ mpeg_l3_encoder_init (SF_PRIVATE *psf, i
+ if (! (pmpeg->lamef = lame_init ()))
+ return SFE_MALLOC_FAILED ;
+
+- pmpeg->compression = -1.0 ; /* Unset */
++ psf->codec_close = mpeg_l3_encoder_close ; /* Set
psf->codec_close early*/
++ pmpeg->compression = -1.0 ; /* Unset */
+
+ lame_set_in_samplerate (pmpeg->lamef, psf->sf.samplerate) ;
+ lame_set_num_channels (pmpeg->lamef, psf->sf.channels) ;
+@@ -115,7 +116,6 @@ mpeg_l3_encoder_init (SF_PRIVATE *psf, i
+ }
+
+ psf->sf.seekable = 0 ;
+- psf->codec_close = mpeg_l3_encoder_close ;
+ psf->byterate = mpeg_l3_encoder_byterate ;
+ psf->datalength = 0 ;
+
diff -Nru libsndfile-1.2.2/debian/patches/series
libsndfile-1.2.2/debian/patches/series
--- libsndfile-1.2.2/debian/patches/series 2024-12-14 13:50:32.000000000
+0100
+++ libsndfile-1.2.2/debian/patches/series 2026-03-04 20:47:56.000000000
+0100
@@ -13,3 +13,4 @@
CVE-2022-33065/CVE-2022-33065-12.patch
CVE-2022-33065/CVE-2022-33065-13.patch
0039-src-ogg-better-error-checking-for-vorbis.-Fixes-1035.patch
+CVE-2025-56226.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.4
This update has been released as part of Debian 13.4.
--- End Message ---
