HI Matthias, On Wed, Mar 05, 2025 at 11:15:47PM +0100, Matthias Geiger wrote: > On Wed, 05 Mar 2025 17:36:12 +0100 Salvatore Bonaccorso <car...@debian.org> > wrote: > > Source: miniaudio > > Version: 0.11.21+dfsg-1 > > Severity: grave > > Tags: security upstream > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > > > > Hi, > > > > The following vulnerability was published for miniaudio. > > > > CVE-2024-41147[0]: > > | An out-of-bounds write vulnerability exists in the > > | ma_dr_flac__decode_samples__lpc functionality of Miniaudio miniaudio > > | v0.11.21. A specially crafted .flac file can lead to memory > > | corruption. An attacker can provide a malicious file to trigger this > > | vulnerability. > > > > I suspect this is fixed in upstream 0.11.22, but have not isolated the > > respective commit. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2024-41147 > > https://www.cve.org/CVERecord?id=CVE-2024-41147 > > [1] > https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2063 > > > > Please adjust the affected versions in the BTS as needed. > > > > Regards, > > Salvatore > > > > > > Hi Salvatore, > > thanks for the report. > > I checked upstreams sourceĀ (0.11.21) butĀ could not find any commit > fixing/touching ma_dr_flac__decode_samples__lpc. > > Apparantly it was fixed though according to the talos report. Do you have > any pointers ? I tried git blame -L 85700,+50 -- miniaudio.h but couldn't > find anything relevant. I'll try to dig more tomorrow.
So far I wasn't neither, but have you good upstream contact and might get confirmation on the fixes for the TALOS report? Regards, Salvatore
