Bug#993376: gtkpod: CVE-2021-32732 - stack overflow in embedded AtomicParsley code APar_read64

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#993376: gtkpod: CVE-2021-32732 - stack overflow in embedded AtomicParsley code APar_read64
From: Neil Williams <codehelp@debian.org>
Date: Tue, 31 Aug 2021 15:25:42 +0100
Message-id: <[🔎] 163041994215.7189.11785909481597811296.reportbug@felix.codehelp>
Reply-to: Neil Williams <codehelp@debian.org>, 993376@bugs.debian.org

Package: gtkpod
Version: 2.1.5-6
Severity: important
Tags: security

https://github.com/wez/atomicparsley/issues/32

See also #993366

gtkpod embeds a vulnerable version of AtomicParsley which causes a stack overflow,
however the data file used to test atomicparsley upstream is not recognised by gtkpod.

Note that in #993366, the upstream fix for this CVE does not resolve the issue as described when
the upstream fix is applied to atomicparsley, so more work may be needed here to identify the
problem as it applies to the version of atomicparsley used by gtkpod.

>From a check of the embedded source code, the vulnerable code can be found at:

https://sources.debian.org/src/gtkpod/2.1.5-8/libs/atomic-parsley/AP_AtomExtracts.cpp/#L1325

Reply to:

Prev by Date: Bug#993375: gtkpod: CVE-2021-37231 - stack-buffer overflow in embedded AtomicParsley code, APar_readX
Next by Date: Bug#993373: Use-after-free bug in realpath()
Previous by thread: Bug#993375: gtkpod: CVE-2021-37231 - stack-buffer overflow in embedded AtomicParsley code, APar_readX
Next by thread: Processed: tagging 993376, tagging 993375, tagging 993372 ..., tagging 993366 ...
Index(es):
- Date
- Thread