CVE-2021-37232: 
NixOS vulnerability analysis and mitigation

A stack overflow vulnerability was discovered in Atomicparsley version 20210124.204813.840499f and earlier, identified as CVE-2021-37232. The vulnerability exists in the APar_read64() function in src/util.cpp due to insufficient buffer size validation while reading bytes in APar_read64. The issue was discovered in July 2021 and affects the command line program used for manipulating iTunes-style metadata in MPEG4 files (GitHub Issue, NVD).

The vulnerability stems from a buffer size mismatch in the APar_ExtractDetails() function where a fixed-size stack buffer (uint32_buffer) of 5 bytes was declared but 8 bytes were being read into it via fread() in the APar_read64() function. This leads to a stack buffer overflow condition. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could allow remote attackers to execute arbitrary code on affected systems. Due to the critical CVSS score and the nature of buffer overflow vulnerabilities, successful exploitation could lead to complete system compromise with the privileges of the running process (NVD).

The vulnerability has been patched by increasing the buffer size from 5 to 8 bytes in the APar_ExtractDetails() function. Users should upgrade to a version after commit d72ccf06c98259d7261e0f3ac4fd8717778782c1. For Gentoo users, the fix is available in media-video/atomicparsley version 0.9.6_p20210715_p151551 or later (Gentoo Advisory, GitHub Patch).