AtomicParsley: Multiple Vulnerabilities — GLSA 202305-01

Multiple vulnerabilities have been discovered in AtomicParsley, the worst of which could result in arbitrary code execution.

Affected packages

media-video/atomicparsley on all architectures
Affected versions < 0.9.6_p20210715_p151551
Unaffected versions >= 0.9.6_p20210715_p151551
media-video/atomicparsley-wez on all architectures
Affected versions <= 0.9.6
Unaffected versions

Background

AtomicParsley is a command line program for manipulating iTunes-style metadata in MPEG4 files.

Description

Multiple vulnerabilities have been discovered in AtomicParsley. Please review the CVE identifiers referenced below for details.

Impact

Please review the referenced CVE identifiers for details.

Workaround

Users can pass only trusted input to AtomicParsley.

Resolution

Previously, the "wez" AtomicParsley fork was packaged in Gentoo as media-video/atomicparsley-wez. This fork is now packaged as media-video/atomicparsley, so users of the fork's package should now depclean it:

 # emerge --ask --depclean "media-video/atomicparsley-wez"
 

All AtomicParsley users should upgrade to the latest version, which is a packaging of the "wez" AtomicParsley fork:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-video/atomicparsley-0.9.6_p20210715_p151551"
 

References

Release date
May 03, 2023

Latest revision
May 03, 2023: 1

Severity
normal

Exploitable
remote

Bugzilla entries