Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 806845 (CVE-2021-37231, CVE-2021-37232) - <media-video/atomicparsley-0.9.6_p20210715_p151551 media-video/atomicparsley-wez: multiple vulnerabilities (CVE-2021-{37231,37232})
Summary: <media-video/atomicparsley-0.9.6_p20210715_p151551 media-video/atomicparsley-...
Status: RESOLVED FIXED
Alias: CVE-2021-37231, CVE-2021-37232
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+]
Keywords:
Depends on: 868030
Blocks:
  Show dependency tree
 
Reported: 2021-08-07 02:41 UTC by John Helmert III
Modified: 2023-05-03 09:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-07 02:41:25 UTC
CVE-2021-37231:

A stack-buffer-overflow occurs in Atomicparsley 20210124.204813.840499f through APar_readX() in src/util.cpp while parsing a crafted mp4 file because of the missing boundary check.

Patch: https://github.com/wez/atomicparsley/commit/020176f688d9efec68f1ce1b100e052bff1cfc2e

CVE-2021-37232:

A stack overflow vulnerability occurs in Atomicparsley 20210124.204813.840499f through APar_read64() in src/util.cpp due to the lack of buffer size of uint32_buffer while reading more bytes in APar_read64.

Patch: https://github.com/wez/atomicparsley/commit/020176f688d9efec68f1ce1b100e052bff1cfc2e
Comment 1 Larry the Git Cow gentoo-dev 2022-01-31 01:43:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34b20a2a80202eb26b8146fd84e57d25890d6aa1

commit 34b20a2a80202eb26b8146fd84e57d25890d6aa1
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-31 01:43:16 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-31 01:43:48 +0000

    media-video/atomicparsley: add 0.9.6_p20210715_p151551 (fork)
    
    Switch to fork with some CVE patches and build system fixes (changed
    to CMake from homebrew build script which e.g. didn't notice errors).
    
    Closes: https://bugs.gentoo.org/832361
    Bug: https://bugs.gentoo.org/713696
    Bug: https://bugs.gentoo.org/806845
    Signed-off-by: Sam James <sam@gentoo.org>

 media-video/atomicparsley/Manifest                 |  1 +
 .../atomicparsley-0.9.6_p20210715_p151551.ebuild   | 32 ++++++++++++++++++++++
 2 files changed, 33 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2022-01-31 01:55:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ccefe6f68bddd76532fb573f55e75055680c6f9c

commit ccefe6f68bddd76532fb573f55e75055680c6f9c
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-31 01:53:40 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-31 01:55:04 +0000

    profiles: last-rite media-video/atomicparsley-wez
    
    Use media-video/atomicparsley instead which has been switched to the fork.
    
    Bug: https://bugs.gentoo.org/668708
    Bug: https://bugs.gentoo.org/716268
    Bug: https://bugs.gentoo.org/731090
    Bug: https://bugs.gentoo.org/806845
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2022-11-12 17:48:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=58baa472e12220341d66f6d51fa2de0b768c5c98

commit 58baa472e12220341d66f6d51fa2de0b768c5c98
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2022-11-12 17:28:58 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2022-11-12 17:32:47 +0000

    media-video/atomicparsley: Drop old versions
    
    Bug: https://bugs.gentoo.org/806845
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 media-video/atomicparsley/Manifest                 |  1 -
 .../atomicparsley/atomicparsley-0.9.0.ebuild       | 38 ----------------------
 2 files changed, 39 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-12 19:39:28 UTC
Thanks!
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-12 22:16:36 UTC
GLSA request filed
Comment 6 Larry the Git Cow gentoo-dev 2023-05-03 09:32:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=191e466b7a8af878d08a0cf4f41d8be2e180d9d9

commit 191e466b7a8af878d08a0cf4f41d8be2e180d9d9
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-03 09:11:30 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-03 09:31:45 +0000

    [ GLSA 202305-01 ] AtomicParsley: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/806845
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202305-01.xml | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)