Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 806845 (CVE-2021-37231, CVE-2021-37232) - <media-video/atomicparsley-0.9.6_p20210715_p151551 media-video/atomicparsley-wez: multiple vulnerabilities (CVE-2021-{37231,37232})
Summary: <media-video/atomicparsley-0.9.6_p20210715_p151551 media-video/atomicparsley-...
Status: CONFIRMED
Alias: CVE-2021-37231, CVE-2021-37232
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [stable]
Keywords:
Depends on: 868030
Blocks:
  Show dependency tree
 
Reported: 2021-08-07 02:41 UTC by John Helmert III
Modified: 2022-09-03 05:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-07 02:41:25 UTC
CVE-2021-37231:

A stack-buffer-overflow occurs in Atomicparsley 20210124.204813.840499f through APar_readX() in src/util.cpp while parsing a crafted mp4 file because of the missing boundary check.

Patch: https://github.com/wez/atomicparsley/commit/020176f688d9efec68f1ce1b100e052bff1cfc2e

CVE-2021-37232:

A stack overflow vulnerability occurs in Atomicparsley 20210124.204813.840499f through APar_read64() in src/util.cpp due to the lack of buffer size of uint32_buffer while reading more bytes in APar_read64.

Patch: https://github.com/wez/atomicparsley/commit/020176f688d9efec68f1ce1b100e052bff1cfc2e
Comment 1 Larry the Git Cow gentoo-dev 2022-01-31 01:43:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34b20a2a80202eb26b8146fd84e57d25890d6aa1

commit 34b20a2a80202eb26b8146fd84e57d25890d6aa1
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-31 01:43:16 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-31 01:43:48 +0000

    media-video/atomicparsley: add 0.9.6_p20210715_p151551 (fork)
    
    Switch to fork with some CVE patches and build system fixes (changed
    to CMake from homebrew build script which e.g. didn't notice errors).
    
    Closes: https://bugs.gentoo.org/832361
    Bug: https://bugs.gentoo.org/713696
    Bug: https://bugs.gentoo.org/806845
    Signed-off-by: Sam James <sam@gentoo.org>

 media-video/atomicparsley/Manifest                 |  1 +
 .../atomicparsley-0.9.6_p20210715_p151551.ebuild   | 32 ++++++++++++++++++++++
 2 files changed, 33 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2022-01-31 01:55:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ccefe6f68bddd76532fb573f55e75055680c6f9c

commit ccefe6f68bddd76532fb573f55e75055680c6f9c
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-31 01:53:40 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-31 01:55:04 +0000

    profiles: last-rite media-video/atomicparsley-wez
    
    Use media-video/atomicparsley instead which has been switched to the fork.
    
    Bug: https://bugs.gentoo.org/668708
    Bug: https://bugs.gentoo.org/716268
    Bug: https://bugs.gentoo.org/731090
    Bug: https://bugs.gentoo.org/806845
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)