CVE-2021-21417

NameCVE-2021-21417
Descriptionfluidsynth is a software synthesizer based on the SoundFont 2 specifications. A use after free violation was discovered in fluidsynth, that can be triggered when loading an invalid SoundFont file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2697-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
fluidsynth (PTS)stretch1.1.6-4vulnerable
stretch (security)1.1.6-4+deb9u1fixed
buster1.1.11-1+deb10u1fixed
bookworm, sid, bullseye2.1.7-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
fluidsynthsourcestretch1.1.6-4+deb9u1DLA-2697-1
fluidsynthsourcebuster1.1.11-1+deb10u1
fluidsynthsource(unstable)2.1.7-1.1

Notes

https://github.com/FluidSynth/fluidsynth/issues/808
https://github.com/FluidSynth/fluidsynth/security/advisories/GHSA-6fcq-pxhc-jxc9

Search for package or bug name: Reporting problems