AtomicParsley: Multiple Vulnerabilities — GLSA 202305-01

Multiple vulnerabilities have been discovered in AtomicParsley, the worst of which could result in arbitrary code execution.

Affected packages

Package 	media-video/atomicparsley on all architectures
Affected versions 	< 0.9.6_p20210715_p151551
Unaffected versions 	>= 0.9.6_p20210715_p151551
Package 	media-video/atomicparsley-wez on all architectures
Affected versions 	<= 0.9.6
Unaffected versions 	

Background

AtomicParsley is a command line program for manipulating iTunes-style metadata in MPEG4 files.

Description

Multiple vulnerabilities have been discovered in AtomicParsley. Please review the CVE identifiers referenced below for details.

Impact

Please review the referenced CVE identifiers for details.

Workaround

Users can pass only trusted input to AtomicParsley.

Resolution

Previously, the "wez" AtomicParsley fork was packaged in Gentoo as media-video/atomicparsley-wez. This fork is now packaged as media-video/atomicparsley, so users of the fork's package should now depclean it:

 # emerge --ask --depclean "media-video/atomicparsley-wez"
 

All AtomicParsley users should upgrade to the latest version, which is a packaging of the "wez" AtomicParsley fork:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-video/atomicparsley-0.9.6_p20210715_p151551"
 

References

    CVE-2021-37231
    CVE-2021-37232