Bug#1129963: trixie-pu: package fluidsynth/2.4.4+dfsg-1+deb13u2

Fri, 06 Mar 2026 09:21:52 -0800 

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:fluidsynth
User: [email protected]
Usertags: pu

Low severity security issue in fluidsynth, all tests in debusine pass.
Debdiff below.

Cheers,
        Moritz
        
diff -Nru fluidsynth-2.4.4+dfsg/debian/changelog 
fluidsynth-2.4.4+dfsg/debian/changelog
--- fluidsynth-2.4.4+dfsg/debian/changelog      2025-09-02 15:12:09.000000000 
+0200
+++ fluidsynth-2.4.4+dfsg/debian/changelog      2026-03-04 20:50:29.000000000 
+0100
@@ -1,3 +1,9 @@
+fluidsynth (2.4.4+dfsg-1+deb13u2) trixie; urgency=medium
+
+  * CVE-2025-56225
+
+ -- Moritz Mühlenhoff <[email protected]>  Wed, 04 Mar 2026 20:50:29 +0100
+
 fluidsynth (2.4.4+dfsg-1+deb13u1) trixie; urgency=medium
 
   * Set the default samplerate to 48000 and buffer size to 512 in the
diff -Nru fluidsynth-2.4.4+dfsg/debian/patches/CVE-2025-56225.patch 
fluidsynth-2.4.4+dfsg/debian/patches/CVE-2025-56225.patch
--- fluidsynth-2.4.4+dfsg/debian/patches/CVE-2025-56225.patch   1970-01-01 
01:00:00.000000000 +0100
+++ fluidsynth-2.4.4+dfsg/debian/patches/CVE-2025-56225.patch   2026-03-04 
20:50:27.000000000 +0100
@@ -0,0 +1,16 @@
+From 45f2a79f4265dcc4f98cfbafdb10727fb1c0d411 Mon Sep 17 00:00:00 2001
+From: "Tom M." <[email protected]>
+Date: Mon, 14 Jul 2025 18:13:38 +0200
+Subject: [PATCH] Fix a nullpointer dereference during legato mode (#1607)
+
+--- fluidsynth-2.4.4+dfsg.orig/src/synth/fluid_synth_monopoly.c
++++ fluidsynth-2.4.4+dfsg/src/synth/fluid_synth_monopoly.c
+@@ -410,7 +410,7 @@ int fluid_synth_noteoff_mono_LOCAL(fluid
+                 fluid_channel_breath_msb(channel))
+         {
+             /* legato playing detection */
+-            if(channel->mode  & FLUID_CHANNEL_LEGATO_PLAYING)
++            if (channel->mode & FLUID_CHANNEL_LEGATO_PLAYING && 
channel->preset != NULL)
+             {
+                 /* the list contains others notes */
+                 if(i_prev >= 0)
diff -Nru fluidsynth-2.4.4+dfsg/debian/patches/series 
fluidsynth-2.4.4+dfsg/debian/patches/series
--- fluidsynth-2.4.4+dfsg/debian/patches/series 1970-01-01 01:00:00.000000000 
+0100
+++ fluidsynth-2.4.4+dfsg/debian/patches/series 2026-03-04 20:50:16.000000000 
+0100
@@ -0,0 +1 @@
+CVE-2025-56225.patch

Reply via email to