ELA-1403-1 libsndfile security update

multiple vulnerabilities

2025-04-23
Packagelibsndfile
Version1.0.25-9.1+deb8u8 (jessie), 1.0.27-3+deb9u4 (stretch), 1.0.28-6+deb10u3 (buster)
Related CVEs CVE-2022-33065 CVE-2024-50612


Several security vulnerabilities have been found in libsndfile, a library for reading/writing audio files.

CVE-2022-33065

Multiple signed integers overflow in function au_read_header in src/au.c
and in functions mat4_open and mat4_read_header in src/mat4.c in
Libsndfile, allows an attacker to cause Denial of Service or other
unspecified impacts.

CVE-2024-50612

libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote
out-of-bounds read.


For Debian 10 buster, these problems have been fixed in version 1.0.28-6+deb10u3.

For Debian 8 jessie, these problems have been fixed in version 1.0.25-9.1+deb8u8.

For Debian 9 stretch, these problems have been fixed in version 1.0.27-3+deb9u4.

We recommend that you upgrade your libsndfile packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.