1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1099609: miniaudio: CVE-2024-41147

    From Salvatore Bonaccorso@21:1/5 to All on Wed Mar 5 17:40:01 2025
    Source: miniaudio
    Version: 0.11.21+dfsg-1
    Severity: grave
    Tags: security upstream
    X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

    Hi,

    The following vulnerability was published for miniaudio.

    CVE-2024-41147[0]:
    | An out-of-bounds write vulnerability exists in the
    | ma_dr_flac__decode_samples__lpc functionality of Miniaudio miniaudio
    | v0.11.21. A specially crafted .flac file can lead to memory
    | corruption. An attacker can provide a malicious file to trigger this
    | vulnerability.

    I suspect this is fixed in upstream 0.11.22, but have not isolated the respective commit.


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2024-41147
    https://www.cve.org/CVERecord?id=CVE-2024-41147
    [1] https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2063

    Please adjust the affected versions in the BTS as needed.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Fri Mar 7 16:00:01 2025
    Processing control commands:

    forwarded -1 https://github.com/mackron/miniaudio/issues/961
    Bug #1099609 [src:miniaudio] miniaudio: CVE-2024-41147
    Set Bug forwarded-to-address to 'https://github.com/mackron/miniaudio/issues/961'.

    --
    1099609: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099609
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Sun Mar 9 14:00:01 2025
    This is a multi-part message in MIME format...

    Your message dated Sun, 09 Mar 2025 12:49:47 +0000
    with message-id <E1trG6F-00BmqN-P8@fasolo.debian.org>
    and subject line Bug#1099609: fixed in miniaudio 0.11.22+dfsg-1
    has caused the Debian Bug report #1099609,
    regarding miniaudio: CVE-2024-41147
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1099609: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099609
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 5 Mar 2025 16:36:18 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-8.6 required=4.0 tests=BAYES_00,FROMDEVELOPER,
    KHOP_HELO_FCRDNS,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,XMAILER_REPORTBUG
    autolearn=ham autolearn_force=no
    version=3.4.6-bugs.debian.org_2005_01_02
    X-Spam-Bayes: score:0.0000 Tokens: new, 29; hammy, 133; neutral, 39; spammy,
    1. spammytokens:0.944-+--H*r:bugs.debian.org
    hammytokens:0.000-+--H*F:U*carnil, 0.000-+--XDebbugsCc,
    0.000-+--X-Debbugs-Cc, 0.000-+--H*M:reportbug, 0.000-+--H*MI:reportbug Return-path: <carnil@debian.org>
    Received: from c-82-192-244-13.customer.ggaweb.ch ([82.192.244.13]:40952 helo=eldamar.lan)
    by buxtehude.debian.org with esmtp (Exim 4.94.2)
    (envelope-from <carnil@