Source: fluidsynth Version: 2.5.1+dfsg-2 Severity: important Tags: security upstream Forwarded: https://github.com/FluidSynth/fluidsynth/issues/1717 https://github.com/FluidSynth/fluidsynth/issues/1728 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for fluidsynth. CVE-2025-68617[0]: | FluidSynth is a software synthesizer based on the SoundFont 2 | specifications. From versions 2.5.0 to before 2.5.2, a race | condition during unloading of a DLS file can trigger a heap-based | use-after-free. A concurrently running thread may be pending to | unload a DLS file, leading to use of freed memory, if the | synthesizer is being concurrently destroyed, or samples of the | (unloaded) DLS file are concurrently used to synthesize audio. This | issue has been patched in version 2.5.2. The problem will not occur, | when explicitly unloading a DLS file (before synth destruction), | provided that at the time of unloading, no samples of the respective | file are used by active voices. The problem will not occur in | versions of FluidSynth that have been compiled without native DLS | support. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-68617 https://www.cve.org/CVERecord?id=CVE-2025-68617 [1] https://github.com/FluidSynth/fluidsynth/security/advisories/GHSA-ffw2-xvvp-39ch [2] https://github.com/FluidSynth/fluidsynth/issues/1717 [3] https://github.com/FluidSynth/fluidsynth/issues/1728 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
