Bug 29051 - fluidsynth new security issue CVE-2021-21417
Summary: fluidsynth new security issue CVE-2021-21417
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-30 23:29 CEST by David Walser
Modified: 2021-06-12 16:57 CEST (History)
2 users (show)

See Also:
Source RPM: fluidsynth-2.1.5-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-05-30 23:29:02 CEST
openSUSE has issued an advisory on April 14:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TNUDR3JYL7FMN2WT7ZNGG6ZC25ZEFXE5/

The upstream issue on Github says that CVE-2021-28421 is a duplicate of CVE-2021-21417:
https://github.com/FluidSynth/fluidsynth/issues/808

The upstream advisory says that this is fixed upstream in 2.1.8:
https://github.com/FluidSynth/fluidsynth/security/advisories/GHSA-6fcq-pxhc-jxc9

Mageia 7 is also affected.
David Walser 2021-05-30 23:29:26 CEST

CC: (none) => geiger.david68210
Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 2.1.8

Comment 1 Lewis Smith 2021-06-02 21:34:16 CEST
Another homeless SRPM, but DavidG has adopted it, so assigning to you.

Assignee: bugsquad => geiger.david68210
CC: geiger.david68210 => (none)

Comment 2 David GEIGER 2021-06-07 17:12:14 CEST
Done for mga8 and mga7!
Comment 3 David Walser 2021-06-09 02:04:40 CEST
RPMS:
fluidsynth-2.0.5-1.1.mga7
libfluidsynth2-2.0.5-1.1.mga7
libfluidsynth-devel-2.0.5-1.1.mga7
fluidsynth-2.1.8-1.mga8
libfluidsynth2-2.1.8-1.mga8
libfluidsynth-devel-2.1.8-1.mga8

from SRPMS:
fluidsynth-2.0.5-1.1.mga7.src.rpm
fluidsynth-2.1.8-1.mga8.src.rpm

Status comment: Fixed upstream in 2.1.8 => (none)
Assignee: geiger.david68210 => qa-bugs
CC: (none) => geiger.david68210

Comment 4 Herman Viaene 2021-06-12 16:48:06 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
No previous update, so googled and found https://github.com/FluidSynth/fluidsynth/wiki/GettingStarted
It gives an example of how to test basic working, but found out that no soundfont is installed.  this seems to be e dependeny????
Installed fluid-soundfont-gm, that ives me the soundfont.
Now trying to run the command
$ fluidsynth /usr/share/soundfonts/FluidR3_GM.sf2 droom.mid 
gives me loads of feedback, but the most important seems:
jack server is not running or cannot be started
JackShmReadWritePtr::~JackShmReadWritePtr - Init not done for -1, skipping unlock
JackShmReadWritePtr::~JackShmReadWritePtr - Init not done for -1, skipping unlock
fluidsynth: error: Failed to connect to Jack server.
Failed to create the audio driver
Continuing this ......

CC: (none) => herman.viaene

Comment 5 Herman Viaene 2021-06-12 16:57:44 CEST
Tried to get jack server running, but
$ jack_server_control 
Cannot create RT messagebuffer thread: Operation not permitted (1)
Retrying messagebuffer thread without RT scheduling
Messagebuffer not realtime; consider enabling RT scheduling for user
no message buffer overruns
Cannot create RT messagebuffer thread: Operation not permitted (1)
Retrying messagebuffer thread without RT scheduling
Messagebuffer not realtime; consider enabling RT scheduling for user
no message buffer overruns
Cannot create RT messagebuffer thread: Operation not permitted (1)
Retrying messagebuffer thread without RT scheduling
Messagebuffer not realtime; consider enabling RT scheduling for user
no message buffer overruns

loads of parameters given .....
JACK server starting in realtime mode with priority 10
self-connect-mode is "Don't restrict self connect requests"
Cannot lock down 82280346 byte memory area (Cannot allocate memory)
Cannot use real-time scheduling (RR/10)(1: Operation not permitted)
AcquireSelfRealTime error
Ringbuffer automatic adaptative mode size = 4096 frames
Cannot use real-time scheduling (RR/5)(1: Operation not permitted)
JackClient::AcquireSelfRealTime error
../linux/alsa/JackAlsaAdapter.h:225, alsa error -2 : No such file or directory
Segmentation fault (core dumped)

Note You need to log in before you can comment on or make changes to this bug.