There are 2 open security issues in buster.
2 issues left for the package maintainer to handle:
Stack overflow in the parse_tag function in libass/ass_parse.c in libass before 0.15.0 allows remote attackers to cause a denial of service or remote code execution via a crafted file.
In libass 0.14.0, the `ass_outline_construct`'s call to `outline_stroke` causes a signed integer overflow.
You can find information about how to handle these issues in the security team's documentation.