Your message dated Sat, 14 Mar 2026 11:48:35 +0000
with message-id <[email protected]>
and subject line Released with 13.4
has caused the Debian Bug report #1129963,
regarding trixie-pu: package fluidsynth/2.4.4+dfsg-1+deb13u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1129963: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129963
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:fluidsynth
User: [email protected]
Usertags: pu
Low severity security issue in fluidsynth, all tests in debusine pass.
Debdiff below.
Cheers,
Moritz
diff -Nru fluidsynth-2.4.4+dfsg/debian/changelog
fluidsynth-2.4.4+dfsg/debian/changelog
--- fluidsynth-2.4.4+dfsg/debian/changelog 2025-09-02 15:12:09.000000000
+0200
+++ fluidsynth-2.4.4+dfsg/debian/changelog 2026-03-04 20:50:29.000000000
+0100
@@ -1,3 +1,9 @@
+fluidsynth (2.4.4+dfsg-1+deb13u2) trixie; urgency=medium
+
+ * CVE-2025-56225
+
+ -- Moritz Mühlenhoff <[email protected]> Wed, 04 Mar 2026 20:50:29 +0100
+
fluidsynth (2.4.4+dfsg-1+deb13u1) trixie; urgency=medium
* Set the default samplerate to 48000 and buffer size to 512 in the
diff -Nru fluidsynth-2.4.4+dfsg/debian/patches/CVE-2025-56225.patch
fluidsynth-2.4.4+dfsg/debian/patches/CVE-2025-56225.patch
--- fluidsynth-2.4.4+dfsg/debian/patches/CVE-2025-56225.patch 1970-01-01
01:00:00.000000000 +0100
+++ fluidsynth-2.4.4+dfsg/debian/patches/CVE-2025-56225.patch 2026-03-04
20:50:27.000000000 +0100
@@ -0,0 +1,16 @@
+From 45f2a79f4265dcc4f98cfbafdb10727fb1c0d411 Mon Sep 17 00:00:00 2001
+From: "Tom M." <[email protected]>
+Date: Mon, 14 Jul 2025 18:13:38 +0200
+Subject: [PATCH] Fix a nullpointer dereference during legato mode (#1607)
+
+--- fluidsynth-2.4.4+dfsg.orig/src/synth/fluid_synth_monopoly.c
++++ fluidsynth-2.4.4+dfsg/src/synth/fluid_synth_monopoly.c
+@@ -410,7 +410,7 @@ int fluid_synth_noteoff_mono_LOCAL(fluid
+ fluid_channel_breath_msb(channel))
+ {
+ /* legato playing detection */
+- if(channel->mode & FLUID_CHANNEL_LEGATO_PLAYING)
++ if (channel->mode & FLUID_CHANNEL_LEGATO_PLAYING &&
channel->preset != NULL)
+ {
+ /* the list contains others notes */
+ if(i_prev >= 0)
diff -Nru fluidsynth-2.4.4+dfsg/debian/patches/series
fluidsynth-2.4.4+dfsg/debian/patches/series
--- fluidsynth-2.4.4+dfsg/debian/patches/series 1970-01-01 01:00:00.000000000
+0100
+++ fluidsynth-2.4.4+dfsg/debian/patches/series 2026-03-04 20:50:16.000000000
+0100
@@ -0,0 +1 @@
+CVE-2025-56225.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.4
This update has been released as part of Debian 13.4.
--- End Message ---
