Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 806845 (CVE-2021-37231, CVE-2021-37232)

Summary: <media-video/atomicparsley-0.9.6_p20210715_p151551 media-video/atomicparsley-wez: multiple vulnerabilities (CVE-2021-{37231,37232})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: media-video
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [stable]
Package list:
Runtime testing required: ---
Bug Depends on: 868030    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-07 02:41:25 UTC
CVE-2021-37231:

A stack-buffer-overflow occurs in Atomicparsley 20210124.204813.840499f through APar_readX() in src/util.cpp while parsing a crafted mp4 file because of the missing boundary check.

Patch: https://github.com/wez/atomicparsley/commit/020176f688d9efec68f1ce1b100e052bff1cfc2e

CVE-2021-37232:

A stack overflow vulnerability occurs in Atomicparsley 20210124.204813.840499f through APar_read64() in src/util.cpp due to the lack of buffer size of uint32_buffer while reading more bytes in APar_read64.

Patch: https://github.com/wez/atomicparsley/commit/020176f688d9efec68f1ce1b100e052bff1cfc2e
Comment 1 Larry the Git Cow gentoo-dev 2022-01-31 01:43:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34b20a2a80202eb26b8146fd84e57d25890d6aa1

commit 34b20a2a80202eb26b8146fd84e57d25890d6aa1
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-31 01:43:16 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-31 01:43:48 +0000

    media-video/atomicparsley: add 0.9.6_p20210715_p151551 (fork)
    
    Switch to fork with some CVE patches and build system fixes (changed
    to CMake from homebrew build script which e.g. didn't notice errors).
    
    Closes: https://bugs.gentoo.org/832361
    Bug: https://bugs.gentoo.org/713696
    Bug: https://bugs.gentoo.org/806845
    Signed-off-by: Sam James <sam@gentoo.org>

 media-video/atomicparsley/Manifest                 |  1 +
 .../atomicparsley-0.9.6_p20210715_p151551.ebuild   | 32 ++++++++++++++++++++++
 2 files changed, 33 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2022-01-31 01:55:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ccefe6f68bddd76532fb573f55e75055680c6f9c

commit ccefe6f68bddd76532fb573f55e75055680c6f9c
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-31 01:53:40 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-31 01:55:04 +0000

    profiles: last-rite media-video/atomicparsley-wez
    
    Use media-video/atomicparsley instead which has been switched to the fork.
    
    Bug: https://bugs.gentoo.org/668708
    Bug: https://bugs.gentoo.org/716268
    Bug: https://bugs.gentoo.org/731090
    Bug: https://bugs.gentoo.org/806845
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)