Package: atomicparsley Version: 0.9.6-2 Severity: important Tags: security upstream
AtomicParsley at the version in buster, bullseye, bookworm and sid causes a stack overflow when tested with the data file from the upstream bug report for CVE-2021-37232: https://github.com/wez/atomicparsley/issues/32 The upstream specified in the Homepage and copyright information in the Debian package is no longer active and the CVE was reported against the new upstream. However, the vulnerable code still exists in the version of AtomicParsely in Debian and running the Debian package using the data file from the bug report does cause a stack overflow in the same way. (See #987034 which gives the updated location for the upstream.) Note that the fix applied to the new upstream does **not** fix the issue in the version in Debian, so more investigation will be required to get a fix. There is no uploader specified in the packaging at salsa, only the team alias. Maybe this package should be formally orphaned or removed? -- System Information: Debian Release: 10.10 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-17-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages atomicparsley depends on: ii libc6 2.28-10 ii libgcc1 1:8.3.0-6 ii libstdc++6 8.3.0-6 ii zlib1g 1:1.2.11.dfsg-1 atomicparsley recommends no packages. atomicparsley suggests no packages. -- no debconf information

