Bug#993366: atomicparsley: CVE-2021-37232 - stack overflow in APar_read64 in src/extract.cpp
Package: atomicparsley
Version: 0.9.6-2
Severity: important
Tags: security upstream
AtomicParsley at the version in buster, bullseye, bookworm and sid causes a stack overflow
when tested with the data file from the upstream bug report for CVE-2021-37232:
https://github.com/wez/atomicparsley/issues/32
The upstream specified in the Homepage and copyright information in the Debian package
is no longer active and the CVE was reported against the new upstream. However, the
vulnerable code still exists in the version of AtomicParsely in Debian and running
the Debian package using the data file from the bug report does cause a stack overflow
in the same way.
(See #987034 which gives the updated location for the upstream.)
Note that the fix applied to the new upstream does **not** fix the issue in the version
in Debian, so more investigation will be required to get a fix.
There is no uploader specified in the packaging at salsa, only the team alias.
Maybe this package should be formally orphaned or removed?
-- System Information:
Debian Release: 10.10
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-17-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages atomicparsley depends on:
ii libc6 2.28-10
ii libgcc1 1:8.3.0-6
ii libstdc++6 8.3.0-6
ii zlib1g 1:1.2.11.dfsg-1
atomicparsley recommends no packages.
atomicparsley suggests no packages.
-- no debconf information
Reply to: