CVE-2021-37231: A stack-buffer-overflow occurs in Atomicparsley 20210124.204813.840499f through APar_readX() in src/util.cpp while parsing a crafted mp4 file because of the missing boundary check. Patch: https://github.com/wez/atomicparsley/commit/020176f688d9efec68f1ce1b100e052bff1cfc2e CVE-2021-37232: A stack overflow vulnerability occurs in Atomicparsley 20210124.204813.840499f through APar_read64() in src/util.cpp due to the lack of buffer size of uint32_buffer while reading more bytes in APar_read64. Patch: https://github.com/wez/atomicparsley/commit/020176f688d9efec68f1ce1b100e052bff1cfc2e
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34b20a2a80202eb26b8146fd84e57d25890d6aa1 commit 34b20a2a80202eb26b8146fd84e57d25890d6aa1 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-01-31 01:43:16 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-01-31 01:43:48 +0000 media-video/atomicparsley: add 0.9.6_p20210715_p151551 (fork) Switch to fork with some CVE patches and build system fixes (changed to CMake from homebrew build script which e.g. didn't notice errors). Closes: https://bugs.gentoo.org/832361 Bug: https://bugs.gentoo.org/713696 Bug: https://bugs.gentoo.org/806845 Signed-off-by: Sam James <sam@gentoo.org> media-video/atomicparsley/Manifest | 1 + .../atomicparsley-0.9.6_p20210715_p151551.ebuild | 32 ++++++++++++++++++++++ 2 files changed, 33 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ccefe6f68bddd76532fb573f55e75055680c6f9c commit ccefe6f68bddd76532fb573f55e75055680c6f9c Author: Sam James <sam@gentoo.org> AuthorDate: 2022-01-31 01:53:40 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-01-31 01:55:04 +0000 profiles: last-rite media-video/atomicparsley-wez Use media-video/atomicparsley instead which has been switched to the fork. Bug: https://bugs.gentoo.org/668708 Bug: https://bugs.gentoo.org/716268 Bug: https://bugs.gentoo.org/731090 Bug: https://bugs.gentoo.org/806845 Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 6 ++++++ 1 file changed, 6 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=58baa472e12220341d66f6d51fa2de0b768c5c98 commit 58baa472e12220341d66f6d51fa2de0b768c5c98 Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2022-11-12 17:28:58 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2022-11-12 17:32:47 +0000 media-video/atomicparsley: Drop old versions Bug: https://bugs.gentoo.org/806845 Signed-off-by: Matt Turner <mattst88@gentoo.org> media-video/atomicparsley/Manifest | 1 - .../atomicparsley/atomicparsley-0.9.0.ebuild | 38 ---------------------- 2 files changed, 39 deletions(-)
Thanks!
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=191e466b7a8af878d08a0cf4f41d8be2e180d9d9 commit 191e466b7a8af878d08a0cf4f41d8be2e180d9d9 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-03 09:11:30 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-03 09:31:45 +0000 [ GLSA 202305-01 ] AtomicParsley: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/806845 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202305-01.xml | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+)