VIR Vulnerability Intelligence Relay

CVE-2021-21417

unknown
Published — · Modified —
💬 Discuss on Community ✚ Propose mitigation
CVSS v3
CVSS v4 NEW
not yet in upstream
VIR risk

Description

fluidsynth is a software synthesizer based on the SoundFont 2 specifications. A use after free violation was discovered in fluidsynth, that can be triggered when loading an invalid SoundFont file.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2021-21417 NameCVE-2021-21417 Descriptionfluidsynth is a software synthesizer based on the SoundFont 2 specifications. A use after free violation was discovered in fluidsynth, that can be triggered when loading an invalid SoundFont file. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search,…

CVE-2021-21417

NameCVE-2021-21417
Descriptionfluidsynth is a software synthesizer based on the SoundFont 2 specifications. A use after free violation was discovered in fluidsynth, that can be triggered when loading an invalid SoundFont file.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2697-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
fluidsynth (PTS)bullseye2.1.7-1.1fixed
bookworm2.3.1-2fixed
trixie2.4.4+dfsg-1+deb13u2fixed
forky, sid2.5.4+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
fluidsynthsourcestretch1.1.6-4+deb9u1DLA-2697-1
fluidsynthsourcebuster1.1.11-1+deb10u1
fluidsynthsource(unstable)2.1.7-1.1

Notes

https://github.com/FluidSynth/fluidsynth/issues/808
https://github.com/FluidSynth/fluidsynth/security/advisories/GHSA-6fcq-pxhc-jxc9

Home - Debian Security - Source (Git)

Apply commands

text fix
Notes
https://github.com/FluidSynth/fluidsynth/issues/808https://github.com/FluidSynth/fluidsynth/security/advisories/GHSA-6fcq-pxhc-jxc9

OS impact
debian Debian Fixed 5 releases
VersionStatusFixed in
trixie Fixed 2.1.7-1.1
sid Fixed 2.1.7-1.1
forky Fixed 2.1.7-1.1
bullseye Fixed 2.1.7-1.1
bookworm Fixed 2.1.7-1.1

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.