CVE-2021-37231

Vulnerability

A stack-buffer-overflow vulnerability exists in Atomicparsley version 20210124.204813.840499f in the APar_readX() function in src/util.cpp. The function lacks a boundary check when reading data from a crafted MP4 file, leading to a write of size 0x203c (8252 bytes) into a stack buffer, as demonstrated by AddressSanitizer output [1]. The overflow occurs during parsing of the file when using arguments such as -T 1 -t +.

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted MP4 file to Atomicparsley. No authentication or special privileges are required; the user only needs to run the tool on the malicious file. The crash occurs during the APar_ExtractTrackDetails call chain, triggered by the APar_readX function reading beyond the allocated stack buffer [1]. The exploit does not require user interaction beyond opening the file.

Impact

Successful exploitation results in a stack-buffer-overflow, which can cause a segmentation fault and denial of service. Under certain conditions, it may allow arbitrary code execution, as indicated by the Gentoo security advisory [2]. The vulnerability affects the confidentiality, integrity, and availability of the system depending on the attacker's ability to control the overflow data.

Mitigation

The vulnerability is fixed in Atomicparsley version 0.9.6_p20210715_p151551 and later, as per the Gentoo GLSA 202305-01 [2]. Users should upgrade to this version or later. If upgrading is not possible, avoid processing untrusted MP4 files with Atomicparsley. No other workarounds are documented.