Your message dated Thu, 25 Dec 2025 10:19:06 +0000
with message-id <[email protected]>
and subject line Bug#1123964: fixed in fluidsynth 2.5.2+dfsg-1
has caused the Debian Bug report #1123964,
regarding sfluidsynth: CVE-2025-68617
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1123964: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123964
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: fluidsynth
Version: 2.5.1+dfsg-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/FluidSynth/fluidsynth/issues/1717
https://github.com/FluidSynth/fluidsynth/issues/1728
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for fluidsynth.
CVE-2025-68617[0]:
| FluidSynth is a software synthesizer based on the SoundFont 2
| specifications. From versions 2.5.0 to before 2.5.2, a race
| condition during unloading of a DLS file can trigger a heap-based
| use-after-free. A concurrently running thread may be pending to
| unload a DLS file, leading to use of freed memory, if the
| synthesizer is being concurrently destroyed, or samples of the
| (unloaded) DLS file are concurrently used to synthesize audio. This
| issue has been patched in version 2.5.2. The problem will not occur,
| when explicitly unloading a DLS file (before synth destruction),
| provided that at the time of unloading, no samples of the respective
| file are used by active voices. The problem will not occur in
| versions of FluidSynth that have been compiled without native DLS
| support.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-68617
https://www.cve.org/CVERecord?id=CVE-2025-68617
[1]
https://github.com/FluidSynth/fluidsynth/security/advisories/GHSA-ffw2-xvvp-39ch
[2] https://github.com/FluidSynth/fluidsynth/issues/1717
[3] https://github.com/FluidSynth/fluidsynth/issues/1728
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: fluidsynth
Source-Version: 2.5.2+dfsg-1
Done: Fabian Greffrath <[email protected]>
We believe that the bug you reported is fixed in the latest version of
fluidsynth, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabian Greffrath <[email protected]> (supplier of updated fluidsynth package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 25 Dec 2025 11:07:16 +0100
Source: fluidsynth
Architecture: source
Version: 2.5.2+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian Multimedia Maintainers <[email protected]>
Changed-By: Fabian Greffrath <[email protected]>
Closes: 1123964
Changes:
fluidsynth (2.5.2+dfsg-1) unstable; urgency=high
.
* New upstream version 2.5.2+dfsg
+ Closes: #1123964, CVE-2025-68617
* Urgency high
Checksums-Sha1:
3c7edaa4fa1de670cdd3a2d65df834ce15e5c04d 2615 fluidsynth_2.5.2+dfsg-1.dsc
5d2e0742e09a3a8306451cdf86bfae65ec5d6977 1471164
fluidsynth_2.5.2+dfsg.orig.tar.xz
f9d9a66331d91c524f75270dc14586f11eac0595 20932
fluidsynth_2.5.2+dfsg-1.debian.tar.xz
9d9d1780d7fbaf2d216e9e1a230734908df686b7 13887
fluidsynth_2.5.2+dfsg-1_amd64.buildinfo
Checksums-Sha256:
916d471ba3beceede9bc8767cd3fed1c9f3523b8144383d2dba16b8373813206 2615
fluidsynth_2.5.2+dfsg-1.dsc
c105aa9713a842e050a839ae4b0d36f967fb9af93d0df96f71e4173363425214 1471164
fluidsynth_2.5.2+dfsg.orig.tar.xz
4774254483d6895b35f0c7ccfcb53a152f895fae8aca174dde7615b1be05cc86 20932
fluidsynth_2.5.2+dfsg-1.debian.tar.xz
9454ade243ea755fed15f005af7c88a0de3ab11089a08c80d6d62b4dfa77946c 13887
fluidsynth_2.5.2+dfsg-1_amd64.buildinfo
Files:
0ca87cc661c40181cdcf968467cad8e3 2615 sound optional
fluidsynth_2.5.2+dfsg-1.dsc
9831ad153874d3ef52c216b76f7c8d37 1471164 sound optional
fluidsynth_2.5.2+dfsg.orig.tar.xz
4318ddbfd5f106d9923bc08a2f233425 20932 sound optional
fluidsynth_2.5.2+dfsg-1.debian.tar.xz
51e1cb3912e93cfd67a3923fc9abf661 13887 sound optional
fluidsynth_2.5.2+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEIsF2SKlSa4TfGRyWy+qOlwzNWd8FAmlNDWYSHGZhYmlhbkBk
ZWJpYW4ub3JnAAoJEMvqjpcMzVnfZKEP/2FKkE/cKfC05jeZheB82oTuh4ezItXu
BH8qguV+Vcum0DpZvzB9h2cj0X7Rv3oU+7DwAJUEmHoQBNhK65VplACEloKp+UfH
1NGDVaMgtY2kecVixOSu8btlo5vKaynYQqo2FIahPOk7MLrAjo8bG9CH7gA4OdcZ
oiK/+vJxdiPN7KBIg7XjmuwqVC7l+8+SfF0DA6JlBlQJepkeSqBv0MoUO/vYUkhd
0jPon9uI53/ukNIosohyEteDc2J1OOQ2dQf6PDRacX0bBNcdyZLsX5IKPhkxlRlQ
MdzzuQS8gJ1SUQjkVQgnKzXGTWahkgA7j6cXd0fwEqP1BZjIw6VSehQ+siBGaNOY
1t27Au6TfazaMbjHfh+NDk6VmlRL8bBh7s2wNfTNBQsYTtEDet3iVLT0hTWwBdRP
aO8RhvuqRJX/RpRnvQKlGAswdrlefwbmkjUz+VsCWvW5TJupIJEVGPNS8V0AoWkz
ZxgCKVsEAn2f3qKmQlQU/eHPMt2wJFRG0DyBPNiKcQf0B2jkslQQAsmJC9VwOuHL
k/yuQWBECG7vSRt/Yqq3CpKhzJ9jYbhIo7WXBSl0wSpSKjLXmj05gfg4D+2/UFXE
hzORw0eanzePYvLCr/cVCCSN3ufcFcbDK7NbigSsuAnJ8FkMCOCCXEm3XixVYu+m
QofgkeSduzdH
=JnbH
-----END PGP SIGNATURE-----
pgpRAClyzrnBf.pgp
Description: PGP signature
--- End Message ---
