[AutoPR- Security] Patch libsndfile for CVE-2025-56226 [MEDIUM] (#15572)

azurelinux-security · web-flow · commit 7ebb2efec22b · 2026-01-27T12:03:51.000+05:30
diff --git a/SPECS/libsndfile/CVE-2025-56226.patch b/SPECS/libsndfile/CVE-2025-56226.patch
@@ -0,0 +1,38 @@
+From 2a2283c82465326dafeb5b5440614bc3532e3936 Mon Sep 17 00:00:00 2001
+From: Sisyphus-wang <43361974+Sisyphus-wang@users.noreply.github.com>
+Date: Fri, 11 Jul 2025 15:14:48 +0800
+Subject: [PATCH] Update mpeg_l3_encode.c
+
+fix memoryLeak bug
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/libsndfile/libsndfile/commit/d9a35ea0d5c64c19dd635ae578e0028df8f66d6a.patch
+---
+ src/mpeg_l3_encode.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/mpeg_l3_encode.c b/src/mpeg_l3_encode.c
+index 97324f7..04b1d50 100644
+--- a/src/mpeg_l3_encode.c
++++ b/src/mpeg_l3_encode.c
+@@ -87,7 +87,8 @@ mpeg_l3_encoder_init (SF_PRIVATE *psf, int info_tag)
+ 	if (! (pmpeg->lamef = lame_init ()))
+ 		return SFE_MALLOC_FAILED ;
+ 
+-	pmpeg->compression = -1.0 ; /* Unset */
++	psf->codec_close	= mpeg_l3_encoder_close ; /* Set psf->codec_close early*/
++ 	pmpeg->compression = -1.0 ; /* Unset */
+ 
+ 	lame_set_in_samplerate (pmpeg->lamef, psf->sf.samplerate) ;
+ 	lame_set_num_channels (pmpeg->lamef, psf->sf.channels) ;
+@@ -115,7 +116,6 @@ mpeg_l3_encoder_init (SF_PRIVATE *psf, int info_tag)
+ 		}
+ 
+ 	psf->sf.seekable	= 0 ;
+-	psf->codec_close	= mpeg_l3_encoder_close ;
+ 	psf->byterate		= mpeg_l3_encoder_byterate ;
+ 	psf->datalength		= 0 ;
+ 
+-- 
+2.45.4
+
diff --git a/SPECS/libsndfile/libsndfile.spec b/SPECS/libsndfile/libsndfile.spec
@@ -1,7 +1,7 @@
 Summary:        Library for reading and writing sound files
 Name:           libsndfile
 Version:        1.2.2
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        BSD AND GPLv2+ AND LGPLv2+ AND MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -16,6 +16,7 @@ Patch1:         revert.patch
 Patch100:       CVE-2018-13419.nopatch
 Patch101:       CVE-2022-33065.patch
 Patch102:       CVE-2024-50612.patch
+Patch103:       CVE-2025-56226.patch
 
 BuildRequires:  alsa-lib-devel
 BuildRequires:  autogen
@@ -140,6 +141,9 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check
 %{_libdir}/pkgconfig/sndfile.pc
 
 %changelog
+* Sat Jan 24 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.2.2-4
+- Patch for CVE-2025-56226
+
 * Tue Jan 07 2025 Muhammad Falak <mwani@microsoft.com> - 1.2.2-3
 - Patch CVE-2024-50612
 
