Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: utka...@debian.org, debian-multime...@lists.debian.org
Please unblock package fluidsynth
I intend to NMU version 2.1.7-1.1 to DELAYED/3, which imports
an upstream security fix.
[ Reason ]
The package has a use-after-free vulnerability.
[ Impact ]
Arbitrary code execute or denial of service.
[ Tests ]
I tested that it compiles, installs and tested running it
against the vulnerable example file from the upstream bug
tracker. With the patch applied, it no longer crashes.
unblock fluidsynth/2.1.7-1.1
diff -Nru fluidsynth-2.1.7/debian/changelog fluidsynth-2.1.7/debian/changelog
--- fluidsynth-2.1.7/debian/changelog 2021-02-09 21:43:23.0 +0100
+++ fluidsynth-2.1.7/debian/changelog 2021-04-24 13:37:51.0 +0200
@@ -1,3 +1,11 @@
+fluidsynth (2.1.7-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Import patch that fixes use-after-free vulnerability. (CVE-2021-28421)
+(Closes: #987168)
+
+ -- Reiner Herrmann Sat, 24 Apr 2021 13:37:51 +0200
+
fluidsynth (2.1.7-1) unstable; urgency=medium
* New upstream version 2.1.7
diff -Nru fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch
--- fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch 1970-01-01 01:00:00.0 +0100
+++ fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch 2021-04-24 13:35:20.0 +0200
@@ -0,0 +1,84 @@
+From 005719628aef0bd48dc7b2f860c7e4ca16b81044 Mon Sep 17 00:00:00 2001
+From: Tom M
+Date: Mon, 15 Mar 2021 20:12:51 +0100
+Subject: [PATCH] Invalid generators were not removed from zone list (#810)
+Bug: https://github.com/FluidSynth/fluidsynth/issues/808
+Bug-Debian: https://bugs.debian.org/987168
+
+fluid_list_remove() should receive the beginning of a list, so it can adjust the predecessor of the element to be removed. Otherwise the element would remain in the list, which in this case led to a use-after-free afterwards.
+---
+ src/sfloader/fluid_sffile.c | 20
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/src/sfloader/fluid_sffile.c b/src/sfloader/fluid_sffile.c
+index 001a0a0a4..47ab98d97 100644
+--- a/src/sfloader/fluid_sffile.c
b/src/sfloader/fluid_sffile.c
+@@ -1355,7 +1355,7 @@ static int load_pmod(SFData *sf, int size)
+ * --- */
+ static int load_pgen(SFData *sf, int size)
+ {
+-fluid_list_t *p, *p2, *p3, *dup, **hz = NULL;
++fluid_list_t *p, *p2, *p3, *dup, **hz = NULL, *start_of_zone_list;
+ SFZone *z;
+ SFGen *g;
+ SFGenAmount genval;
+@@ -1369,7 +1369,7 @@ static int load_pgen(SFData *sf, int size)
+ /* traverse through all presets */
+ gzone = FALSE;
+ discarded = FALSE;
+-p2 = ((SFPreset *)(p->data))->zone;
++start_of_zone_list = p2 = ((SFPreset *)(p->data))->zone;
+
+ if(p2)
+ {
+@@ -1516,11 +1516,13 @@ static int load_pgen(SFData *sf, int size)
+ }
+ else
+ {
++p2 = fluid_list_next(p2); /* advance to next zone before deleting the current list element */
+ /* previous global zone exists, discard */
+ FLUID_LOG(FLUID_WARN, "Preset '%s': Discarding invalid global zone",
+ ((SFPreset *)(p->data))->name);
+-*hz = fluid_list_remove(*hz, p2->data);
+-delete_zone((SFZone *)fluid_list_get(p2));
++fluid_list_remove(start_of_zone_list, z);
++delete_zone(z);
++continue;
+ }
+ }
+
+@@ -1864,7 +1866,7 @@ static int load_imod(SFData *sf, int size)
+ /* load instrument generators (see load_pgen for loading rules) */
+ static int load_igen(SFData *sf, int size)
+ {
+-fluid_list_t *p, *p2, *p3, *dup, **hz = NULL;
++fluid_list_t *p, *p2, *p3, *dup, **hz = NULL, *start_of_zone_list;
+ SFZone *z;
+ SFGen *g;
+ SFGenAmount genval;
+@@ -1878,7 +1880,7 @@ static int load_igen(SFData *sf, int size)
+ /* traverse through all instruments */
+ gzone = FALSE;
+ discarded = FALSE;
+-p2 = ((SFInst *)(p->data))->zone;
++start_of_zone_list = p2 = ((SFInst *)(p->data))->zone;
+
+ if(p2)
+ {
+@@ -2024,11 +2026,13 @@ static int load_igen(SFData *sf, int size)
+ }
+ else
+ {
++p2 = fluid_list_next(p2); /* advance to next zone before deleting the current list element */
+ /* previous global zone exists, discard */
+ FLUID_LOG(FLUID_WARN, "Instrument '%s': Discarding invalid global zone",
+ ((SFInst *)(p->data))->name);
+-*hz = fluid_list_remove(*hz, p2->data);
+-
