CVE-2021-40827

NameCVE-2021-40827
DescriptionClementine Music Player through 1.3.1 (when a GLib 2.0.0 DLL is used) is vulnerable to a Read Access Violation on Block Data Move, affecting the MP3 file parsing functionality at memcpy+0x265. The vulnerability is triggered when the user opens a crafted MP3 file or loads a remote stream URL that is mishandled by Clementine. Attackers could exploit this issue to cause a crash (DoS) of the clementine.exe process or achieve arbitrary code execution in the context of the current logged-in Windows user.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
clementine (PTS)jessie1.2.3+dfsg-2vulnerable
stretch1.3.1+git276-g3485bbe43+dfsg-1vulnerable
buster1.3.1+git609-g623a53681+dfsg-1vulnerable
bullseye1.4.0~rc1+git347-gfc4cb6fc7+dfsg-1+deb11u1vulnerable
sid, trixie, bookworm1.4.0~rc1+git867-g9ef681b0e+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
clementinesource(unstable)(unfixed)unimportant

Notes

https://voidsec.com/advisories/cve-2021-40827/
Bogus report with hardly useful details whether affects clementine/gstreamer, but
regardless just a crash in a CLI tool

Search for package or bug name: Reporting problems