CVE-2021-28421: FluidSynth 2.1.7 contains a use after free vulnerability in sfloader/fluid_sffile.c that can result in arbitrary code execution or a denial of service (DoS) if a malicious soundfont2 file is loaded into a fluidsynth library.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7535acc9b7bdb3607217e0113b17fa05c2887cd3 commit 7535acc9b7bdb3607217e0113b17fa05c2887cd3 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-04-13 18:30:00 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-04-13 18:30:19 +0000 media-sound/fluidsynth: bump to 2.2.0 Bug: https://bugs.gentoo.org/782700 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> media-sound/fluidsynth/Manifest | 1 + media-sound/fluidsynth/fluidsynth-2.2.0.ebuild | 115 +++++++++++++++++++++++++ 2 files changed, 116 insertions(+)
i'd give it at least few days to let any issues pop up before stabilization. if there's no issue, it would be ok to stabilize.
Thanks!
(In reply to Miroslav Šulc from comment #2) > i'd give it at least few days to let any issues pop up before stabilization. > if there's no issue, it would be ok to stabilize. see also https://bugs.gentoo.org/show_bug.cgi?id=782868 Subslot change needed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2aa4970e80f7af7b3af270b17f9a91ad5f8eb3cd commit 2aa4970e80f7af7b3af270b17f9a91ad5f8eb3cd Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-04-14 17:13:08 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-04-14 17:13:35 +0000 media-sound/fluidsynth: revbump for previous change Bug: https://bugs.gentoo.org/782700 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> .../fluidsynth/{fluidsynth-2.2.0.ebuild => fluidsynth-2.2.0-r1.ebuild} | 0 1 file changed, 0 insertions(+), 0 deletions(-)
i think it's safe to go stable now.
sparc stable
amd64 done
x86 done
arm64 done
arm done
ppc done
ppc64 done all arches done
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=55931a04b401d9aacecabd6d682b283ed70b3af2 commit 55931a04b401d9aacecabd6d682b283ed70b3af2 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-04-22 12:18:47 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-04-22 12:19:05 +0000 media-sound/fluidsynth: removed obsolete and vulnerable 2.1.5 Bug: https://bugs.gentoo.org/782700 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> media-sound/fluidsynth/Manifest | 1 - media-sound/fluidsynth/fluidsynth-2.1.5.ebuild | 115 ------------------------- 2 files changed, 116 deletions(-)
the tree is clean now, you can proceed
GLSA request filed.
This issue was resolved and addressed in GLSA 202107-34 at https://security.gentoo.org/glsa/202107-34 by GLSA coordinator John Helmert III (ajak).