[Git][security-tracker-team/security-tracker][master] Clarify that CVE-2024-50613 is exposed after linking with lame

Salvatore Bonaccorso (@carnil) carnil at debian.org
Tue Apr 22 15:34:38 BST 2025 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5891aea4 by Salvatore Bonaccorso at 2025-04-22T16:34:07+02:00
Clarify that CVE-2024-50613 is exposed after linking with lame

The source part might be present earlier, but clarify the note to
explain that the issue is reachable only after enabling the mp3 encoder
(due to linking with lame), which happened in debian/1.1.0-1 tag in the
packaging (and present since bookworm).

Thanks to Jochen Sprickerhof for double-checking.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -56301,7 +56301,9 @@ CVE-2024-50613 (libsndfile through 1.2.2 has a reachable assertion, that may lea
 	[bookworm] - libsndfile <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - libsndfile <ignored> (Issue mp3 file handling which is not compiled in)
 	NOTE: https://github.com/libsndfile/libsndfile/issues/1034
-	NOTE: linked with lame since https://salsa.debian.org/multimedia-team/libsndfile/-/commit/ef69444 1.1.0-1/bookworm
+	NOTE: Issue reachable after enabling mp3 encoder (by linking against lame). Only done
+	NOTE: in the packaging since debian/1.1.0-1 (starting in bookworm) with
+	NOTE: https://salsa.debian.org/multimedia-team/libsndfile/-/commit/ef6944427e1e4b39f634bfb3af2ddc6071810aaa
 CVE-2024-50612 (libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote out ...)
 	- libsndfile 1.2.2-2 (bug #1088692)
 	[bookworm] - libsndfile <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5891aea46c03d48868942e56d098bd3402fb9219

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5891aea46c03d48868942e56d098bd3402fb9219
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250422/b5421180/attachment.htm>

More information about the debian-security-tracker-commits mailing list