Source: timidity Version: 2.13.2-40.2 Severity: important Tags: upstream security
Hi, the following vulnerabilities were published for timidity. All three issues seem to affect the same set of versions in Debian, thus filling only one bugreport: CVE-2017-11546[0]: | The insert_note_steps function in readmidi.c in TiMidity++ 2.14.0 | allows remote attackers to cause a denial of service (divide-by-zero | error and application crash) via a crafted mid file. NOTE: a crash | might be relevant when using the --background option. CVE-2017-11547[1]: | The resample_gauss function in resample.c in TiMidity++ 2.14.0 allows | remote attackers to cause a denial of service (heap-based buffer | over-read) via a crafted mid file. NOTE: a crash might be relevant when | using the --background option. NOTE: the TiMidity++ README.alsaseq | documentation suggests a setuid-root installation. CVE-2017-11549[2]: | The play_midi function in playmidi.c in TiMidity++ 2.14.0 allows remote | attackers to cause a denial of service (large loop and CPU consumption) | via a crafted mid file. NOTE: CPU consumption might be relevant when | using the --background option. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-11546 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11546 [1] https://security-tracker.debian.org/tracker/CVE-2017-11547 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11547 [2] https://security-tracker.debian.org/tracker/CVE-2017-11549 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11549 [3] http://seclists.org/fulldisclosure/2017/Jul/83 Regards, Salvatore