#1126694 libchdr: CVE-2025-14369

Package:
src:libchdr
Source:
src:libchdr
Submitter:
Salvatore Bonaccorso
Date:
2026-06-11 09:19:01 UTC
Severity:
normal
Tags:
#1126694#5
Date:
2026-01-30 19:06:30 UTC
From:
To:
Hi,

The following vulnerability was published for libchdr.

CVE-2025-14369[0]:
| dr_flac, an audio decoder within the dr_libs toolset, contains an
| integer overflow vulnerability flaw due to trusting the
| totalPCMFrameCount field from FLAC metadata before calculating
| buffer size, allowing an attacker with a specially crafted file to
| perform DoS against programs using the tool.

libchdr makes use of an embeeded dr_flac.h with afaics vulnerable
code.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-14369
https://www.cve.org/CVERecord?id=CVE-2025-14369
[1] https://github.com/mackron/dr_libs/commit/b2197b2eb7bb609df76315bebf44db4ec2a1aed0
[2] https://www.kb.cert.org/vuls/id/924114

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1126694#10
Date:
2026-01-31 18:48:29 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
libchdr, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1126694@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sébastien Noel <sebastien@twolife.be> (supplier of updated libchdr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 31 Jan 2026 19:08:06 +0100
Source: libchdr
Architecture: source
Version: 0.0~git20250608.8bba774+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
Changed-By: Sébastien Noel <sebastien@twolife.be>
Closes: 1126694
Changes:
 libchdr (0.0~git20250608.8bba774+dfsg-2) unstable; urgency=medium
 .
   * Team upload
   * fix FTBFS on x32
   * fix CVE-2025-14369 (Closes: #1126694)
Checksums-Sha1:
 617224029159eb3c1ebd17e7892cdf87df6852e8 1837 libchdr_0.0~git20250608.8bba774+dfsg-2.dsc
 da3f8883e580b39a91dc945a4134eda536e93f56 5324 libchdr_0.0~git20250608.8bba774+dfsg-2.debian.tar.xz
 4b36174159506e0c8160b4d6a72f9e71bca57291 7415 libchdr_0.0~git20250608.8bba774+dfsg-2_amd64.buildinfo
Checksums-Sha256:
 2c4bca12ff701c989033b226cee325a385d83e9324a841a858343f66128905ce 1837 libchdr_0.0~git20250608.8bba774+dfsg-2.dsc
 7f02724f900a3c5959add8e9e32dd97f1dbe6b4077d5fc8d163dce01b5909a25 5324 libchdr_0.0~git20250608.8bba774+dfsg-2.debian.tar.xz
 44211ba2fb0da5c48b29e9fae0ed7130cf9abf4d573d45872c7d676ed444b9a4 7415 libchdr_0.0~git20250608.8bba774+dfsg-2_amd64.buildinfo
Files:
 923591d18e664ebf9e5309d648ee45b9 1837 libs optional libchdr_0.0~git20250608.8bba774+dfsg-2.dsc
 86f4c0f78d37e40b82c01ea14c715426 5324 libs optional libchdr_0.0~git20250608.8bba774+dfsg-2.debian.tar.xz
 b9a4dab7729e6ea246cff88f4225a078 7415 libs optional libchdr_0.0~git20250608.8bba774+dfsg-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQFJBAEBCgAzFiEEdlP6my3wO8aMe9FCrKAIuMk0p9QFAml+S8MVHHNlYmFzdGll
bkB0d29saWZlLmJlAAoJEKygCLjJNKfUea4IALHAfg+YXFwiMwB0uNkzR+VOTJoq
MLnQTGvQ3IXA0ex7KCJVYEoKgijRUgiD5XP43UYF/2by709d7PB9oTcMHBbd2AJi
0IpBeuHjXHNQANjmw/PER1FN5WP3rrbpqmlJypNoj8cT5t52Jv0ieyzSWQMloENS
J8xLbmyWHuOudrzKcwW0oHu1050/EDcjWV+plBrlb6HzzmVMoiM1FXCZfhQKI4Cp
XQDne3SrGaT06NQoi1rK9ZcIDouluTMZBvEF0jwKdcynS6DOnM+1r0hnEjG/wxpo
r9ArQ8tn3GUF308pPC+epGS4+VR91cCF+8/iTY6poZMFQNl4ljvR+m+LbjM=
=pz8k
-----END PGP SIGNATURE-----