CVE-2021-21417

NameCVE-2021-21417
Descriptionfluidsynth is a software synthesizer based on the SoundFont 2 specifications. A use after free violation was discovered in fluidsynth, that can be triggered when loading an invalid SoundFont file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2697-1, ELA-450-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
fluidsynth (PTS)jessie, jessie (lts)1.1.6-2+deb8u1fixed
stretch (security), stretch (lts), stretch1.1.6-4+deb9u1fixed
buster1.1.11-1+deb10u1fixed
bullseye2.1.7-1.1fixed
bookworm2.3.1-2fixed
sid, trixie2.4.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
fluidsynthsourcejessie1.1.6-2+deb8u1ELA-450-1
fluidsynthsourcestretch1.1.6-4+deb9u1DLA-2697-1
fluidsynthsourcebuster1.1.11-1+deb10u1
fluidsynthsource(unstable)2.1.7-1.1

Notes

https://github.com/FluidSynth/fluidsynth/issues/808
https://github.com/FluidSynth/fluidsynth/security/advisories/GHSA-6fcq-pxhc-jxc9
Search for package or bug name: Reporting problems