Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 782700 (CVE-2021-28421)

Summary: <media-sound/fluidsynth-2.2.0: UAF leading to code execution
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: fordfrog, sound
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/FluidSynth/fluidsynth/issues/808
Whiteboard: B2 [glsa+ cve]
Package list:
media-sound/fluidsynth-2.2.0-r1
Runtime testing required: ---

Description John Helmert III gentoo-dev Security 2021-04-13 18:06:12 UTC
CVE-2021-28421:

FluidSynth 2.1.7 contains a use after free vulnerability in sfloader/fluid_sffile.c that can result in arbitrary code execution or a denial of service (DoS) if a malicious soundfont2 file is loaded into a fluidsynth library.
Comment 1 Larry the Git Cow gentoo-dev 2021-04-13 18:30:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7535acc9b7bdb3607217e0113b17fa05c2887cd3

commit 7535acc9b7bdb3607217e0113b17fa05c2887cd3
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-04-13 18:30:00 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-04-13 18:30:19 +0000

    media-sound/fluidsynth: bump to 2.2.0
    
    Bug: https://bugs.gentoo.org/782700
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 media-sound/fluidsynth/Manifest                |   1 +
 media-sound/fluidsynth/fluidsynth-2.2.0.ebuild | 115 +++++++++++++++++++++++++
 2 files changed, 116 insertions(+)
Comment 2 Miroslav Šulc gentoo-dev 2021-04-13 18:31:12 UTC
i'd give it at least few days to let any issues pop up before stabilization. if there's no issue, it would be ok to stabilize.
Comment 3 John Helmert III gentoo-dev Security 2021-04-13 18:57:07 UTC
Thanks!
Comment 4 jospezial 2021-04-14 16:27:25 UTC
(In reply to Miroslav Šulc from comment #2)
> i'd give it at least few days to let any issues pop up before stabilization.
> if there's no issue, it would be ok to stabilize.

see also https://bugs.gentoo.org/show_bug.cgi?id=782868
Subslot change needed.
Comment 5 Larry the Git Cow gentoo-dev 2021-04-14 17:13:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2aa4970e80f7af7b3af270b17f9a91ad5f8eb3cd

commit 2aa4970e80f7af7b3af270b17f9a91ad5f8eb3cd
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-04-14 17:13:08 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-04-14 17:13:35 +0000

    media-sound/fluidsynth: revbump for previous change
    
    Bug: https://bugs.gentoo.org/782700
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 .../fluidsynth/{fluidsynth-2.2.0.ebuild => fluidsynth-2.2.0-r1.ebuild}    | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
Comment 6 Miroslav Šulc gentoo-dev 2021-04-18 05:24:18 UTC
i think it's safe to go stable now.
Comment 7 John Helmert III gentoo-dev Security 2021-04-18 14:37:46 UTC
Thanks!
Comment 8 Rolf Eike Beer archtester 2021-04-18 19:42:35 UTC
sparc stable
Comment 9 Sam James archtester gentoo-dev Security 2021-04-18 21:18:09 UTC
amd64 done
Comment 10 Sam James archtester gentoo-dev Security 2021-04-18 21:24:52 UTC
x86 done
Comment 11 Sam James archtester gentoo-dev Security 2021-04-19 04:31:40 UTC
arm64 done
Comment 12 Sam James archtester gentoo-dev Security 2021-04-19 04:32:26 UTC
arm done
Comment 13 Sam James archtester gentoo-dev Security 2021-04-20 11:59:22 UTC
ppc done
Comment 14 Sam James archtester gentoo-dev Security 2021-04-22 12:14:14 UTC
ppc64 done

all arches done
Comment 15 Larry the Git Cow gentoo-dev 2021-04-22 12:19:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=55931a04b401d9aacecabd6d682b283ed70b3af2

commit 55931a04b401d9aacecabd6d682b283ed70b3af2
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-04-22 12:18:47 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-04-22 12:19:05 +0000

    media-sound/fluidsynth: removed obsolete and vulnerable 2.1.5
    
    Bug: https://bugs.gentoo.org/782700
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 media-sound/fluidsynth/Manifest                |   1 -
 media-sound/fluidsynth/fluidsynth-2.1.5.ebuild | 115 -------------------------
 2 files changed, 116 deletions(-)
Comment 16 Miroslav Šulc gentoo-dev 2021-04-22 12:19:36 UTC
the tree is clean now, you can proceed
Comment 17 John Helmert III gentoo-dev Security 2021-04-22 13:12:11 UTC
Thanks!
Comment 18 John Helmert III gentoo-dev Security 2021-07-14 23:27:31 UTC
GLSA request filed.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2021-07-15 05:16:12 UTC
This issue was resolved and addressed in
 GLSA 202107-34 at https://security.gentoo.org/glsa/202107-34
by GLSA coordinator John Helmert III (ajak).