Bug 29051 - fluidsynth new security issue CVE-2021-21417
Summary: fluidsynth new security issue CVE-2021-21417
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-05-30 23:29 CEST by David Walser
Modified: 2021-07-09 02:28 CEST (History)
6 users (show)

See Also:
Source RPM: fluidsynth-2.1.5-1.mga8.src.rpm
CVE: CVE-2021-21417
Status comment:


Attachments

Description David Walser 2021-05-30 23:29:02 CEST
openSUSE has issued an advisory on April 14:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TNUDR3JYL7FMN2WT7ZNGG6ZC25ZEFXE5/

The upstream issue on Github says that CVE-2021-28421 is a duplicate of CVE-2021-21417:
https://github.com/FluidSynth/fluidsynth/issues/808

The upstream advisory says that this is fixed upstream in 2.1.8:
https://github.com/FluidSynth/fluidsynth/security/advisories/GHSA-6fcq-pxhc-jxc9

Mageia 7 is also affected.
David Walser 2021-05-30 23:29:26 CEST

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 2.1.8
CC: (none) => geiger.david68210

Comment 1 Lewis Smith 2021-06-02 21:34:16 CEST
Another homeless SRPM, but DavidG has adopted it, so assigning to you.

Assignee: bugsquad => geiger.david68210
CC: geiger.david68210 => (none)

Comment 2 David GEIGER 2021-06-07 17:12:14 CEST
Done for mga8 and mga7!
Comment 3 David Walser 2021-06-09 02:04:40 CEST
RPMS:
fluidsynth-2.0.5-1.1.mga7
libfluidsynth2-2.0.5-1.1.mga7
libfluidsynth-devel-2.0.5-1.1.mga7
fluidsynth-2.1.8-1.mga8
libfluidsynth2-2.1.8-1.mga8
libfluidsynth-devel-2.1.8-1.mga8

from SRPMS:
fluidsynth-2.0.5-1.1.mga7.src.rpm
fluidsynth-2.1.8-1.mga8.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs
Status comment: Fixed upstream in 2.1.8 => (none)

Comment 4 Herman Viaene 2021-06-12 16:48:06 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
No previous update, so googled and found https://github.com/FluidSynth/fluidsynth/wiki/GettingStarted
It gives an example of how to test basic working, but found out that no soundfont is installed.  this seems to be e dependeny????
Installed fluid-soundfont-gm, that ives me the soundfont.
Now trying to run the command
$ fluidsynth /usr/share/soundfonts/FluidR3_GM.sf2 droom.mid 
gives me loads of feedback, but the most important seems:
jack server is not running or cannot be started
JackShmReadWritePtr::~JackShmReadWritePtr - Init not done for -1, skipping unlock
JackShmReadWritePtr::~JackShmReadWritePtr - Init not done for -1, skipping unlock
fluidsynth: error: Failed to connect to Jack server.
Failed to create the audio driver
Continuing this ......

CC: (none) => herman.viaene

Comment 5 Herman Viaene 2021-06-12 16:57:44 CEST
Tried to get jack server running, but
$ jack_server_control 
Cannot create RT messagebuffer thread: Operation not permitted (1)
Retrying messagebuffer thread without RT scheduling
Messagebuffer not realtime; consider enabling RT scheduling for user
no message buffer overruns
Cannot create RT messagebuffer thread: Operation not permitted (1)
Retrying messagebuffer thread without RT scheduling
Messagebuffer not realtime; consider enabling RT scheduling for user
no message buffer overruns
Cannot create RT messagebuffer thread: Operation not permitted (1)
Retrying messagebuffer thread without RT scheduling
Messagebuffer not realtime; consider enabling RT scheduling for user
no message buffer overruns

loads of parameters given .....
JACK server starting in realtime mode with priority 10
self-connect-mode is "Don't restrict self connect requests"
Cannot lock down 82280346 byte memory area (Cannot allocate memory)
Cannot use real-time scheduling (RR/10)(1: Operation not permitted)
AcquireSelfRealTime error
Ringbuffer automatic adaptative mode size = 4096 frames
Cannot use real-time scheduling (RR/5)(1: Operation not permitted)
JackClient::AcquireSelfRealTime error
../linux/alsa/JackAlsaAdapter.h:225, alsa error -2 : No such file or directory
Segmentation fault (core dumped)
Comment 6 David Walser 2021-06-21 22:18:13 CEST
This is a library, so the best way to test would be through a package that uses it:
SDL_mixer-player
audacious-fluidsynth
calf
carla
carla-vst
csound-fluidsynth
denemo
fluidsynth
gstreamer1.0-fluidsynth
lmms
minuet
mpd
muse
qsynth
scummvm
stratagus
vlc-plugin-fluidsynth
Comment 7 PC LX 2021-06-25 13:00:06 CEST
Installed and tested (somewhat) without issues.


I don't have any MIDI devices so I only tested playing midi files using the VLC plugin. Many midi files can easily be found and downloaded from the internet.

Many good ones can be found here:
http://www.classicalmidi.co.uk/barber.htm

Also, a soundfont file is required. I installed the package fluid-soundfont-gm for that.

The following commands installed all that was needed for this system.

$ urpmi vlc vlc-plugin-fluidsynth fluidsynth fluid-soundfont-gm


System: Mageia 7, x86_64, Intel CPU.



$ uname -a
Linux marte 5.10.45-desktop-2.mga7 #1 SMP Sat Jun 19 15:58:30 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | egrep 'soundfont|fluidsynth'
fluidsynth-2.0.5-1.mga7
fluid-soundfont-gm-3.1-13.mga7
vlc-plugin-fluidsynth-3.0.14-1.mga7.tainted
fluid-soundfont-common-3.1-13.mga7
lib64fluidsynth2-2.0.5-1.mga7
$ lspci | grep -i audio
00:1b.0 Audio device: Intel Corporation NM10/ICH7 Family High Definition Audio Controller (rev 01)
04:00.1 Audio device: NVIDIA Corporation GP108 High Definition Audio Controller (rev a1)

CC: (none) => mageia

Comment 8 Herman Viaene 2021-06-25 15:13:28 CEST
Took suggestion of PC LX and installedv lc-plugin-fluidsynt.tainted
then at CLI
vlc droom.mid 
VLC media player 3.0.14 Vetinari (revision 3.0.14-0-8e19ecd05497)
[0000000000e345b0] main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
[0000000000f04f80] qt interface error: Unable to load extensions module
ALSA lib pcm_dsnoop.c:638:(snd_pcm_dsnoop_open) unable to open slave
ALSA lib pcm_dmix.c:1108:(snd_pcm_dmix_open) unable to open slave
ALSA lib pcm.c:2564:(snd_pcm_open_noupdate) Unknown PCM cards.pcm.rear
ALSA lib pcm.c:2564:(snd_pcm_open_noupdate) Unknown PCM cards.pcm.center_lfe
ALSA lib pcm.c:2564:(snd_pcm_open_noupdate) Unknown PCM cards.pcm.side
ALSA lib pcm_oss.c:377:(_snd_pcm_oss_open) Unknown field port
ALSA lib pcm_oss.c:377:(_snd_pcm_oss_open) Unknown field port
ALSA lib pcm_usb_stream.c:486:(_snd_pcm_usb_stream_open) Invalid type for card
ALSA lib pcm_usb_stream.c:486:(_snd_pcm_usb_stream_open) Invalid type for card
ALSA lib pcm_dmix.c:1108:(snd_pcm_dmix_open) unable to open slave
Cannot connect to server socket err = No such file or directory
Cannot connect to server request channel
jack server is not running or cannot be started
JackShmReadWritePtr::~JackShmReadWritePtr - Init not done for -1, skipping unlock
JackShmReadWritePtr::~JackShmReadWritePtr - Init not done for -1, skipping unlock
fluidsynth: warning: No preset found on channel 0 [bank=0 prog=0]
fluidsynth: warning: No preset found on channel 1 [bank=0 prog=0]
fluidsynth: warning: No preset found on channel 2 [bank=0 prog=0]
fluidsynth: warning: No preset found on channel 3 [bank=0 prog=0]
fluidsynth: warning: No preset found on channel 4 [bank=0 prog=0]
fluidsynth: warning: No preset found on channel 5 [bank=0 prog=0]
fluidsynth: warning: No preset found on channel 6 [bank=0 prog=0]
fluidsynth: warning: No preset found on channel 7 [bank=0 prog=0]
fluidsynth: warning: No preset found on channel 8 [bank=0 prog=0]
fluidsynth: warning: No preset found on channel 9 [bank=128 prog=0]
fluidsynth: warning: No preset found on channel 10 [bank=0 prog=0]
fluidsynth: warning: No preset found on channel 11 [bank=0 prog=0]
fluidsynth: warning: No preset found on channel 12 [bank=0 prog=0]
fluidsynth: warning: No preset found on channel 13 [bank=0 prog=0]
fluidsynth: warning: No preset found on channel 14 [bank=0 prog=0]
fluidsynth: warning: No preset found on channel 15 [bank=0 prog=0]
uint DBusMenuExporterDBus::GetLayout(int, int, const QStringList&, DBusMenuLayoutItem&): Condition failed: menu
uint DBusMenuExporterDBus::GetLayout(int, int, const QStringList&, DBusMenuLayoutItem&): Condition failed: menu
QObject::~QObject: Timers cannot be stopped from another thread
Thus loads of feedback on "I-don't-know-what-all", but at least the file is decently played back.
So OK for me.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Comment 9 Brian Rockwell 2021-07-08 22:09:08 CEST
MGA8 - Gnome

followed the theme above.  Had to add the sound fonts pack of course.

The following 40 packages are going to be installed:

- fluidsynth-2.1.8-1.mga8.x86_64
- fonts-ttf-bitstream-vera-1.10-18.mga8.noarch
- glibc-2.32-17.mga8.x86_64
- glibc-devel-2.32-17.mga8.x86_64
- lib64aribb25_0-0.2.7-1.mga8.x86_64
- lib64avc1394_0-0.5.4-9.mga8.x86_64
- lib64basicusageenvironment1-2021.06.25-1.mga8.x86_64
- lib64caca0-0.99-0.beta19.5.1.mga8.x86_64
- lib64cddb2-1.3.2-21.mga8.x86_64
- lib64crystalhd3-0-0.20110315.13.mga8.x86_64
- lib64dvbpsi10-1.3.3-2.mga8.x86_64
- lib64ebml5-1.4.2-1.mga8.x86_64
- lib64fluidsynth2-2.1.8-1.mga8.x86_64
- lib64groupsock30-2021.06.25-1.mga8.x86_64
- lib64livemedia94-2021.06.25-1.mga8.x86_64
- lib64matroska7-1.6.2-1.mga8.x86_64
- lib64protobuf-lite25-3.14.0-1.mga8.x86_64
- lib64qt5svg5-5.15.2-1.1.mga8.x86_64
- lib64rpm9-4.16.1.3-1.1.mga8.x86_64
- lib64usageenvironment3-2021.06.25-1.mga8.x86_64
- lib64vlc5-3.0.16-1.mga8.x86_64
- lib64vlccore9-3.0.16-1.mga8.x86_64
- lib64xcb-composite0-1.14-1.mga8.x86_64
- lib64xcb-xv0-1.14-1.mga8.x86_64
- libcrystalhd-common-0-0.20110315.13.mga8.x86_64
- python3-rpm-4.16.1.3-1.1.mga8.x86_64
- qtsvg5-5.15.2-1.1.mga8.x86_64
- rpm-4.16.1.3-1.1.mga8.x86_64
- rpm-plugin-ima-4.16.1.3-1.1.mga8.x86_64
- rpm-plugin-syslog-4.16.1.3-1.1.mga8.x86_64
- rpm-plugin-systemd-inhibit-4.16.1.3-1.1.mga8.x86_64
- vlc-3.0.16-1.mga8.x86_64
- vlc-plugin-common-3.0.16-1.mga8.x86_64
- vlc-plugin-fluidsynth-3.0.16-1.mga8.x86_64
- vlc-plugin-lua-3.0.16-1.mga8.x86_64
- vlc-plugin-opengl-3.0.16-1.mga8.x86_64
- vlc-plugin-pulse-3.0.16-1.mga8.x86_64
- vlc-plugin-samba-3.0.16-1.mga8.x86_64
- vlc-plugin-theora-3.0.16-1.mga8.x86_64
- vlc-plugin-vdpau-3.0.16-1.mga8.x86_64




I was able to play midi.

CC: (none) => brtians1

Brian Rockwell 2021-07-08 22:09:27 CEST

Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 10 Aurelien Oudelet 2021-07-08 23:26:13 CEST
Advisory:
========================

Updated fluidsynth packages fix a security vulnerability:

fluidsynth is a software synthesizer based on the SoundFont 2 specifications. A use after free violation was discovered in fluidsynth, that can be triggered when loading an invalid SoundFont file (CVE-2021-21417).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29051
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21417
 - https://github.com/FluidSynth/fluidsynth/security/advisories/GHSA-6fcq-pxhc-jxc9
========================

Updated packages in core/updates_testing:
========================
fluidsynth-2.0.5-1.1.mga7
libfluidsynth2-2.0.5-1.1.mga7
libfluidsynth-devel-2.0.5-1.1.mga7

fluidsynth-2.1.8-1.mga8
libfluidsynth2-2.1.8-1.mga8
libfluidsynth-devel-2.1.8-1.mga8

from SRPMS:
fluidsynth-2.0.5-1.1.mga7.src.rpm
fluidsynth-2.1.8-1.mga8.src.rpm


Validating.

CC: (none) => ouaurelien, sysadmin-bugs
Keywords: (none) => advisory, validated_update
CVE: (none) => CVE-2021-21417

Comment 11 Mageia Robot 2021-07-09 02:28:24 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0324.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.