Bug#993376: gtkpod: CVE-2021-32732 - stack overflow in embedded AtomicParsley code APar_read64
Package: gtkpod
Version: 2.1.5-6
Severity: important
Tags: security
https://github.com/wez/atomicparsley/issues/32
See also #993366
gtkpod embeds a vulnerable version of AtomicParsley which causes a stack overflow,
however the data file used to test atomicparsley upstream is not recognised by gtkpod.
Note that in #993366, the upstream fix for this CVE does not resolve the issue as described when
the upstream fix is applied to atomicparsley, so more work may be needed here to identify the
problem as it applies to the version of atomicparsley used by gtkpod.
>From a check of the embedded source code, the vulnerable code can be found at:
https://sources.debian.org/src/gtkpod/2.1.5-8/libs/atomic-parsley/AP_AtomExtracts.cpp/#L1325
Reply to: