| Name | CVE-2021-37232 |
| Description | A stack overflow vulnerability occurs in Atomicparsley 20210124.204813.840499f through APar_read64() in src/util.cpp due to the lack of buffer size of uint32_buffer while reading more bytes in APar_read64. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 993366 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| atomicparsley (PTS) | buster, bullseye | 0.9.6-2 | vulnerable |
| sid, trixie, bookworm | 20210715.151551.e7ad03a-1 | fixed |
| gtkpod (PTS) | buster | 2.1.5-6 | fixed |
| bullseye | 2.1.5-8 | fixed |
| bookworm | 2.1.5-10 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| atomicparsley | source | (unstable) | 20210715.151551.e7ad03a-1 | | | 993366 |
| gtkpod | source | (unstable) | (not affected) | | | |
Notes
[bullseye] - atomicparsley <no-dsa> (Minor issue)
[buster] - atomicparsley <no-dsa> (Minor issue)
[stretch] - atomicparsley <no-dsa> (Minor issue)
- gtkpod <not-affected> (Vulnerable code not present, cf #993376)
https://github.com/wez/atomicparsley/commit/d72ccf06c98259d7261e0f3ac4fd8717778782c1
https://github.com/wez/atomicparsley/issues/32
gtkpod does not contain the code supporting tkhd version 1
that overflows with 64-bit creation/modified times