Bug#1126694: marked as done (libchdr: CVE-2025-14369)

Sat, 31 Jan 2026 11:19:57 -0800 

Your message dated Sat, 31 Jan 2026 18:48:29 +0000
with message-id <[email protected]>
and subject line Bug#1126694: fixed in libchdr 0.0~git20250608.8bba774+dfsg-2
has caused the Debian Bug report #1126694,
regarding libchdr: CVE-2025-14369
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1126694: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126694
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: libchdr
Version: 0.0~git20250608.8bba774+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for libchdr.

CVE-2025-14369[0]:
| dr_flac, an audio decoder within the dr_libs toolset, contains an
| integer overflow vulnerability flaw due to trusting the
| totalPCMFrameCount field from FLAC metadata before calculating
| buffer size, allowing an attacker with a specially crafted file to
| perform DoS against programs using the tool.

libchdr makes use of an embeeded dr_flac.h with afaics vulnerable
code.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-14369
    https://www.cve.org/CVERecord?id=CVE-2025-14369
[1] 
https://github.com/mackron/dr_libs/commit/b2197b2eb7bb609df76315bebf44db4ec2a1aed0
[2] https://www.kb.cert.org/vuls/id/924114

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: libchdr
Source-Version: 0.0~git20250608.8bba774+dfsg-2
Done: Sébastien Noel <[email protected]>

We believe that the bug you reported is fixed in the latest version of
libchdr, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sébastien Noel <[email protected]> (supplier of updated libchdr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 31 Jan 2026 19:08:06 +0100
Source: libchdr
Architecture: source
Version: 0.0~git20250608.8bba774+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Games Team <[email protected]>
Changed-By: Sébastien Noel <[email protected]>
Closes: 1126694
Changes:
 libchdr (0.0~git20250608.8bba774+dfsg-2) unstable; urgency=medium
 .
   * Team upload
   * fix FTBFS on x32
   * fix CVE-2025-14369 (Closes: #1126694)
Checksums-Sha1:
 617224029159eb3c1ebd17e7892cdf87df6852e8 1837 
libchdr_0.0~git20250608.8bba774+dfsg-2.dsc
 da3f8883e580b39a91dc945a4134eda536e93f56 5324 
libchdr_0.0~git20250608.8bba774+dfsg-2.debian.tar.xz
 4b36174159506e0c8160b4d6a72f9e71bca57291 7415 
libchdr_0.0~git20250608.8bba774+dfsg-2_amd64.buildinfo
Checksums-Sha256:
 2c4bca12ff701c989033b226cee325a385d83e9324a841a858343f66128905ce 1837 
libchdr_0.0~git20250608.8bba774+dfsg-2.dsc
 7f02724f900a3c5959add8e9e32dd97f1dbe6b4077d5fc8d163dce01b5909a25 5324 
libchdr_0.0~git20250608.8bba774+dfsg-2.debian.tar.xz
 44211ba2fb0da5c48b29e9fae0ed7130cf9abf4d573d45872c7d676ed444b9a4 7415 
libchdr_0.0~git20250608.8bba774+dfsg-2_amd64.buildinfo
Files:
 923591d18e664ebf9e5309d648ee45b9 1837 libs optional 
libchdr_0.0~git20250608.8bba774+dfsg-2.dsc
 86f4c0f78d37e40b82c01ea14c715426 5324 libs optional 
libchdr_0.0~git20250608.8bba774+dfsg-2.debian.tar.xz
 b9a4dab7729e6ea246cff88f4225a078 7415 libs optional 
libchdr_0.0~git20250608.8bba774+dfsg-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFJBAEBCgAzFiEEdlP6my3wO8aMe9FCrKAIuMk0p9QFAml+S8MVHHNlYmFzdGll
bkB0d29saWZlLmJlAAoJEKygCLjJNKfUea4IALHAfg+YXFwiMwB0uNkzR+VOTJoq
MLnQTGvQ3IXA0ex7KCJVYEoKgijRUgiD5XP43UYF/2by709d7PB9oTcMHBbd2AJi
0IpBeuHjXHNQANjmw/PER1FN5WP3rrbpqmlJypNoj8cT5t52Jv0ieyzSWQMloENS
J8xLbmyWHuOudrzKcwW0oHu1050/EDcjWV+plBrlb6HzzmVMoiM1FXCZfhQKI4Cp
XQDne3SrGaT06NQoi1rK9ZcIDouluTMZBvEF0jwKdcynS6DOnM+1r0hnEjG/wxpo
r9ArQ8tn3GUF308pPC+epGS4+VR91cCF+8/iTY6poZMFQNl4ljvR+m+LbjM=
=pz8k
-----END PGP SIGNATURE-----

Attachment: pgpky5Sw6_x17.pgp
Description: PGP signature


--- End Message ---

Reply via email to