Register | Log in

mpd

Music Player Daemon

Choose email to subscribe with

general

source: mpd (main)
version: 0.24.12-1
maintainer: mpd maintainers (archive) (DMD)
uploaders: Florian Schlichting [DMD] – Geoffroy Youri Berret [DMD]
arch: any
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.22.6-1
oldstable: 0.23.12-1
old-bpo: 0.24.2-1~bpo12+1
stable: 0.24.4-1
testing: 0.24.12-1
unstable: 0.24.12-1

versioned links

0.22.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.23.12-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.24.2-1~bpo12+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.24.4-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.24.12-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

mpd (8 bugs: 0, 7, 1, 0)

action needed

1 open merge request in Salsa normal

There is 1 open merge request for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2026-04-30 Last update: 2026-04-30 00:31

4 low-priority security issues in trixie low

There are 4 open security issues in trixie.

4 issues left for the package maintainer to handle:

CVE-2026-49127: (needs triaging) Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD commands referencing a malicious HTTP audio source to cause the unpack loop to write 1366 entries into a 1365-entry buffer, overwriting four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, resulting in daemon termination or potential code execution.
CVE-2026-49128: (needs triaging) Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk path is constructed by joining the storage root with a user-supplied URI as plain strings without canonicalization, allowing '..' segments to survive into the resolved path and be flattened by the kernel at openat() time. An unauthenticated attacker can exploit this flaw using the listfiles command to enumerate names, sizes, and modification times of arbitrary directories readable by the MPD process, and the albumart command to read image files in any attacker-chosen directory outside the configured music_directory.
CVE-2026-49129: (needs triaging) Music Player Daemon (MPD) before version 0.24.11 contains a server-side request forgery vulnerability in CurlInputPlugin where CURLOPT_FOLLOWLOCATION is set without CURLOPT_REDIR_PROTOCOLS_STR, allowing unauthenticated attackers to bypass the http/https scheme restriction by causing a malicious HTTP server to redirect to non-HTTP protocols such as gopher, ftp, sftp, ldap, dict, rtmp, or rtsp. Attackers can trigger this vulnerability via MPD commands that initiate URL fetches, including add, readcomments, albumart, readpicture, or load, to interact with internal or restricted network services on systems running libcurl versions prior to 7.85.0.
CVE-2026-49130: (needs triaging) Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injection vulnerability in the xspf_char_data function within the XSPF playlist plugin that allows attackers to embed literal CR/LF bytes in URI fields by supplying a malicious XSPF playlist with XML numeric character references. Attackers can inject forged key-value lines through the location field into MPD protocol responses including playlistinfo, currentsong, and listplaylist outputs, as well as the state file writer, by exploiting Expat's decoding of numeric character references prior to the character data callback.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-05-29 Last update: 2026-06-07 00:31

4 low-priority security issues in bookworm low

There are 4 open security issues in bookworm.

4 issues left for the package maintainer to handle:

CVE-2026-49127: (needs triaging) Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD commands referencing a malicious HTTP audio source to cause the unpack loop to write 1366 entries into a 1365-entry buffer, overwriting four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, resulting in daemon termination or potential code execution.
CVE-2026-49128: (needs triaging) Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk path is constructed by joining the storage root with a user-supplied URI as plain strings without canonicalization, allowing '..' segments to survive into the resolved path and be flattened by the kernel at openat() time. An unauthenticated attacker can exploit this flaw using the listfiles command to enumerate names, sizes, and modification times of arbitrary directories readable by the MPD process, and the albumart command to read image files in any attacker-chosen directory outside the configured music_directory.
CVE-2026-49129: (needs triaging) Music Player Daemon (MPD) before version 0.24.11 contains a server-side request forgery vulnerability in CurlInputPlugin where CURLOPT_FOLLOWLOCATION is set without CURLOPT_REDIR_PROTOCOLS_STR, allowing unauthenticated attackers to bypass the http/https scheme restriction by causing a malicious HTTP server to redirect to non-HTTP protocols such as gopher, ftp, sftp, ldap, dict, rtmp, or rtsp. Attackers can trigger this vulnerability via MPD commands that initiate URL fetches, including add, readcomments, albumart, readpicture, or load, to interact with internal or restricted network services on systems running libcurl versions prior to 7.85.0.
CVE-2026-49130: (needs triaging) Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injection vulnerability in the xspf_char_data function within the XSPF playlist plugin that allows attackers to embed literal CR/LF bytes in URI fields by supplying a malicious XSPF playlist with XML numeric character references. Attackers can inject forged key-value lines through the location field into MPD protocol responses including playlistinfo, currentsong, and listplaylist outputs, as well as the state file writer, by exploiting Expat's decoding of numeric character references prior to the character data callback.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-05-29 Last update: 2026-06-07 00:31

testing migrations

This package will soon be part of the auto-libsidplayfp transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-pupnp transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-fmtlib transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[2026-06-07] mpd 0.24.12-1 MIGRATED to testing (Debian testing watch)
[2026-06-01] Accepted mpd 0.24.12-1 (source) into unstable (Florian Schlichting)
[2026-02-28] mpd 0.24.8-1 MIGRATED to testing (Debian testing watch)
[2026-02-24] Accepted mpd 0.24.8-1 (source) into unstable (Florian Schlichting)
[2025-10-26] mpd 0.24.6-1 MIGRATED to testing (Debian testing watch)
[2025-10-24] Accepted mpd 0.24.6-1 (source) into unstable (Geoffroy Youri Berret)
[2025-06-15] mpd 0.24.4-1 MIGRATED to testing (Debian testing watch)
[2025-05-25] Accepted mpd 0.24.4-1 (source) into unstable (Florian Schlichting)
[2025-04-12] mpd 0.24.3-1 MIGRATED to testing (Debian testing watch)
[2025-04-10] Accepted mpd 0.24.2-1~bpo12+1 (source) into stable-backports (Stephen Kitt)
[2025-04-09] Accepted mpd 0.24.3-1 (source) into unstable (Geoffroy Youri Berret)
[2025-04-03] mpd 0.24.2-1 MIGRATED to testing (Debian testing watch)
[2025-03-29] Accepted mpd 0.24.2-1 (source) into unstable (Geoffroy Youri Berret)
[2025-03-21] Accepted mpd 0.24.1-1 (source) into unstable (Geoffroy Youri Berret)
[2025-03-19] Accepted mpd 0.24-1 (source) into unstable (Geoffroy Youri Berret)
[2025-02-26] mpd 0.23.17-1 MIGRATED to testing (Debian testing watch)
[2025-02-20] Accepted mpd 0.23.17-1 (source) into unstable (Geoffroy Youri Berret)
[2024-12-24] mpd 0.23.16-1 MIGRATED to testing (Debian testing watch)
[2024-12-21] Accepted mpd 0.23.16-1 (source) into unstable (Florian Schlichting)
[2024-07-15] Accepted mpd 0.23.15-1~bpo12+1 (source amd64) into stable-backports (Debian FTP Masters) (signed by: Boyuan Yang)
[2024-06-19] mpd 0.23.15-1 MIGRATED to testing (Debian testing watch)
[2024-06-14] Accepted mpd 0.23.15-1 (source) into unstable (Geoffroy Youri Berret)
[2023-12-19] mpd 0.23.14-2 MIGRATED to testing (Debian testing watch)
[2023-12-16] Accepted mpd 0.23.14-2 (source) into unstable (Geoffroy Youri Berret)
[2023-10-14] mpd 0.23.14-1 MIGRATED to testing (Debian testing watch)
[2023-10-09] Accepted mpd 0.23.14-1 (source) into unstable (Florian Schlichting)
[2023-01-24] mpd 0.23.12-1 MIGRATED to testing (Debian testing watch)
[2023-01-21] Accepted mpd 0.23.12-1 (source) into unstable (Florian Schlichting)
[2022-12-07] mpd 0.23.11-1 MIGRATED to testing (Debian testing watch)
[2022-12-04] Accepted mpd 0.23.11-1 (source) into unstable (Florian Schlichting)

1
2

bugs [bug history graph]

all: 8
RC: 0
I&N: 7
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.24.6-1build3

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing