> Source: miniaudio > Version: 0.11.21+dfsg-1 > Severity: grave > Tags: security upstream> X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
> > Hi, > > The following vulnerability was published for miniaudio. > > CVE-2024-41147[0]: > | An out-of-bounds write vulnerability exists in the > | ma_dr_flac__decode_samples__lpc functionality of Miniaudio miniaudio > | v0.11.21. A specially crafted .flac file can lead to memory > | corruption. An attacker can provide a malicious file to trigger this > | vulnerability. > > I suspect this is fixed in upstream 0.11.22, but have not isolated the > respective commit. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2024-41147 > https://www.cve.org/CVERecord?id=CVE-2024-41147> [1] https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2063
> > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore > >
Hi Salvatore, thanks for the report.I checked upstreams sourceĀ (0.11.21) butĀ could not find any commit fixing/touching ma_dr_flac__decode_samples__lpc.
Apparantly it was fixed though according to the talos report. Do you have any pointers ? I tried git blame -L 85700,+50 -- miniaudio.h but couldn't find anything relevant. I'll try to dig more tomorrow.
best, werdahias
OpenPGP_0xECBEDBB607B9B2BE.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
