openSUSE has issued an advisory on April 14: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TNUDR3JYL7FMN2WT7ZNGG6ZC25ZEFXE5/ The upstream issue on Github says that CVE-2021-28421 is a duplicate of CVE-2021-21417: https://github.com/FluidSynth/fluidsynth/issues/808 The upstream advisory says that this is fixed upstream in 2.1.8: https://github.com/FluidSynth/fluidsynth/security/advisories/GHSA-6fcq-pxhc-jxc9 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Fixed upstream in 2.1.8CC: (none) => geiger.david68210
Another homeless SRPM, but DavidG has adopted it, so assigning to you.
Assignee: bugsquad => geiger.david68210CC: geiger.david68210 => (none)
Done for mga8 and mga7!
RPMS: fluidsynth-2.0.5-1.1.mga7 libfluidsynth2-2.0.5-1.1.mga7 libfluidsynth-devel-2.0.5-1.1.mga7 fluidsynth-2.1.8-1.mga8 libfluidsynth2-2.1.8-1.mga8 libfluidsynth-devel-2.1.8-1.mga8 from SRPMS: fluidsynth-2.0.5-1.1.mga7.src.rpm fluidsynth-2.1.8-1.mga8.src.rpm
CC: (none) => geiger.david68210Assignee: geiger.david68210 => qa-bugsStatus comment: Fixed upstream in 2.1.8 => (none)
MGA7-64 Plasma on Lenovo B50 No installation issues. No previous update, so googled and found https://github.com/FluidSynth/fluidsynth/wiki/GettingStarted It gives an example of how to test basic working, but found out that no soundfont is installed. this seems to be e dependeny???? Installed fluid-soundfont-gm, that ives me the soundfont. Now trying to run the command $ fluidsynth /usr/share/soundfonts/FluidR3_GM.sf2 droom.mid gives me loads of feedback, but the most important seems: jack server is not running or cannot be started JackShmReadWritePtr::~JackShmReadWritePtr - Init not done for -1, skipping unlock JackShmReadWritePtr::~JackShmReadWritePtr - Init not done for -1, skipping unlock fluidsynth: error: Failed to connect to Jack server. Failed to create the audio driver Continuing this ......
CC: (none) => herman.viaene
Tried to get jack server running, but $ jack_server_control Cannot create RT messagebuffer thread: Operation not permitted (1) Retrying messagebuffer thread without RT scheduling Messagebuffer not realtime; consider enabling RT scheduling for user no message buffer overruns Cannot create RT messagebuffer thread: Operation not permitted (1) Retrying messagebuffer thread without RT scheduling Messagebuffer not realtime; consider enabling RT scheduling for user no message buffer overruns Cannot create RT messagebuffer thread: Operation not permitted (1) Retrying messagebuffer thread without RT scheduling Messagebuffer not realtime; consider enabling RT scheduling for user no message buffer overruns loads of parameters given ..... JACK server starting in realtime mode with priority 10 self-connect-mode is "Don't restrict self connect requests" Cannot lock down 82280346 byte memory area (Cannot allocate memory) Cannot use real-time scheduling (RR/10)(1: Operation not permitted) AcquireSelfRealTime error Ringbuffer automatic adaptative mode size = 4096 frames Cannot use real-time scheduling (RR/5)(1: Operation not permitted) JackClient::AcquireSelfRealTime error ../linux/alsa/JackAlsaAdapter.h:225, alsa error -2 : No such file or directory Segmentation fault (core dumped)
This is a library, so the best way to test would be through a package that uses it: SDL_mixer-player audacious-fluidsynth calf carla carla-vst csound-fluidsynth denemo fluidsynth gstreamer1.0-fluidsynth lmms minuet mpd muse qsynth scummvm stratagus vlc-plugin-fluidsynth
Installed and tested (somewhat) without issues. I don't have any MIDI devices so I only tested playing midi files using the VLC plugin. Many midi files can easily be found and downloaded from the internet. Many good ones can be found here: http://www.classicalmidi.co.uk/barber.htm Also, a soundfont file is required. I installed the package fluid-soundfont-gm for that. The following commands installed all that was needed for this system. $ urpmi vlc vlc-plugin-fluidsynth fluidsynth fluid-soundfont-gm System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.10.45-desktop-2.mga7 #1 SMP Sat Jun 19 15:58:30 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | egrep 'soundfont|fluidsynth' fluidsynth-2.0.5-1.mga7 fluid-soundfont-gm-3.1-13.mga7 vlc-plugin-fluidsynth-3.0.14-1.mga7.tainted fluid-soundfont-common-3.1-13.mga7 lib64fluidsynth2-2.0.5-1.mga7 $ lspci | grep -i audio 00:1b.0 Audio device: Intel Corporation NM10/ICH7 Family High Definition Audio Controller (rev 01) 04:00.1 Audio device: NVIDIA Corporation GP108 High Definition Audio Controller (rev a1)
CC: (none) => mageia
Took suggestion of PC LX and installedv lc-plugin-fluidsynt.tainted then at CLI vlc droom.mid VLC media player 3.0.14 Vetinari (revision 3.0.14-0-8e19ecd05497) [0000000000e345b0] main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface. [0000000000f04f80] qt interface error: Unable to load extensions module ALSA lib pcm_dsnoop.c:638:(snd_pcm_dsnoop_open) unable to open slave ALSA lib pcm_dmix.c:1108:(snd_pcm_dmix_open) unable to open slave ALSA lib pcm.c:2564:(snd_pcm_open_noupdate) Unknown PCM cards.pcm.rear ALSA lib pcm.c:2564:(snd_pcm_open_noupdate) Unknown PCM cards.pcm.center_lfe ALSA lib pcm.c:2564:(snd_pcm_open_noupdate) Unknown PCM cards.pcm.side ALSA lib pcm_oss.c:377:(_snd_pcm_oss_open) Unknown field port ALSA lib pcm_oss.c:377:(_snd_pcm_oss_open) Unknown field port ALSA lib pcm_usb_stream.c:486:(_snd_pcm_usb_stream_open) Invalid type for card ALSA lib pcm_usb_stream.c:486:(_snd_pcm_usb_stream_open) Invalid type for card ALSA lib pcm_dmix.c:1108:(snd_pcm_dmix_open) unable to open slave Cannot connect to server socket err = No such file or directory Cannot connect to server request channel jack server is not running or cannot be started JackShmReadWritePtr::~JackShmReadWritePtr - Init not done for -1, skipping unlock JackShmReadWritePtr::~JackShmReadWritePtr - Init not done for -1, skipping unlock fluidsynth: warning: No preset found on channel 0 [bank=0 prog=0] fluidsynth: warning: No preset found on channel 1 [bank=0 prog=0] fluidsynth: warning: No preset found on channel 2 [bank=0 prog=0] fluidsynth: warning: No preset found on channel 3 [bank=0 prog=0] fluidsynth: warning: No preset found on channel 4 [bank=0 prog=0] fluidsynth: warning: No preset found on channel 5 [bank=0 prog=0] fluidsynth: warning: No preset found on channel 6 [bank=0 prog=0] fluidsynth: warning: No preset found on channel 7 [bank=0 prog=0] fluidsynth: warning: No preset found on channel 8 [bank=0 prog=0] fluidsynth: warning: No preset found on channel 9 [bank=128 prog=0] fluidsynth: warning: No preset found on channel 10 [bank=0 prog=0] fluidsynth: warning: No preset found on channel 11 [bank=0 prog=0] fluidsynth: warning: No preset found on channel 12 [bank=0 prog=0] fluidsynth: warning: No preset found on channel 13 [bank=0 prog=0] fluidsynth: warning: No preset found on channel 14 [bank=0 prog=0] fluidsynth: warning: No preset found on channel 15 [bank=0 prog=0] uint DBusMenuExporterDBus::GetLayout(int, int, const QStringList&, DBusMenuLayoutItem&): Condition failed: menu uint DBusMenuExporterDBus::GetLayout(int, int, const QStringList&, DBusMenuLayoutItem&): Condition failed: menu QObject::~QObject: Timers cannot be stopped from another thread Thus loads of feedback on "I-don't-know-what-all", but at least the file is decently played back. So OK for me.
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
MGA8 - Gnome followed the theme above. Had to add the sound fonts pack of course. The following 40 packages are going to be installed: - fluidsynth-2.1.8-1.mga8.x86_64 - fonts-ttf-bitstream-vera-1.10-18.mga8.noarch - glibc-2.32-17.mga8.x86_64 - glibc-devel-2.32-17.mga8.x86_64 - lib64aribb25_0-0.2.7-1.mga8.x86_64 - lib64avc1394_0-0.5.4-9.mga8.x86_64 - lib64basicusageenvironment1-2021.06.25-1.mga8.x86_64 - lib64caca0-0.99-0.beta19.5.1.mga8.x86_64 - lib64cddb2-1.3.2-21.mga8.x86_64 - lib64crystalhd3-0-0.20110315.13.mga8.x86_64 - lib64dvbpsi10-1.3.3-2.mga8.x86_64 - lib64ebml5-1.4.2-1.mga8.x86_64 - lib64fluidsynth2-2.1.8-1.mga8.x86_64 - lib64groupsock30-2021.06.25-1.mga8.x86_64 - lib64livemedia94-2021.06.25-1.mga8.x86_64 - lib64matroska7-1.6.2-1.mga8.x86_64 - lib64protobuf-lite25-3.14.0-1.mga8.x86_64 - lib64qt5svg5-5.15.2-1.1.mga8.x86_64 - lib64rpm9-4.16.1.3-1.1.mga8.x86_64 - lib64usageenvironment3-2021.06.25-1.mga8.x86_64 - lib64vlc5-3.0.16-1.mga8.x86_64 - lib64vlccore9-3.0.16-1.mga8.x86_64 - lib64xcb-composite0-1.14-1.mga8.x86_64 - lib64xcb-xv0-1.14-1.mga8.x86_64 - libcrystalhd-common-0-0.20110315.13.mga8.x86_64 - python3-rpm-4.16.1.3-1.1.mga8.x86_64 - qtsvg5-5.15.2-1.1.mga8.x86_64 - rpm-4.16.1.3-1.1.mga8.x86_64 - rpm-plugin-ima-4.16.1.3-1.1.mga8.x86_64 - rpm-plugin-syslog-4.16.1.3-1.1.mga8.x86_64 - rpm-plugin-systemd-inhibit-4.16.1.3-1.1.mga8.x86_64 - vlc-3.0.16-1.mga8.x86_64 - vlc-plugin-common-3.0.16-1.mga8.x86_64 - vlc-plugin-fluidsynth-3.0.16-1.mga8.x86_64 - vlc-plugin-lua-3.0.16-1.mga8.x86_64 - vlc-plugin-opengl-3.0.16-1.mga8.x86_64 - vlc-plugin-pulse-3.0.16-1.mga8.x86_64 - vlc-plugin-samba-3.0.16-1.mga8.x86_64 - vlc-plugin-theora-3.0.16-1.mga8.x86_64 - vlc-plugin-vdpau-3.0.16-1.mga8.x86_64 I was able to play midi.
CC: (none) => brtians1
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Advisory: ======================== Updated fluidsynth packages fix a security vulnerability: fluidsynth is a software synthesizer based on the SoundFont 2 specifications. A use after free violation was discovered in fluidsynth, that can be triggered when loading an invalid SoundFont file (CVE-2021-21417). References: - https://bugs.mageia.org/show_bug.cgi?id=29051 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21417 - https://github.com/FluidSynth/fluidsynth/security/advisories/GHSA-6fcq-pxhc-jxc9 ======================== Updated packages in core/updates_testing: ======================== fluidsynth-2.0.5-1.1.mga7 libfluidsynth2-2.0.5-1.1.mga7 libfluidsynth-devel-2.0.5-1.1.mga7 fluidsynth-2.1.8-1.mga8 libfluidsynth2-2.1.8-1.mga8 libfluidsynth-devel-2.1.8-1.mga8 from SRPMS: fluidsynth-2.0.5-1.1.mga7.src.rpm fluidsynth-2.1.8-1.mga8.src.rpm Validating.
CC: (none) => ouaurelien, sysadmin-bugsKeywords: (none) => advisory, validated_updateCVE: (none) => CVE-2021-21417
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0324.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED