CVE-2020-21601: 
NixOS vulnerability analysis and mitigation

libde265 version 1.0.4 contains a stack buffer overflow vulnerability in the putqpelfallback function. The vulnerability was discovered in December 2019 and was assigned CVE-2020-21601. This security flaw affects the libde265 library, which is an implementation of the H.265 video codec (Debian Security, GitHub Issue).

The vulnerability is a stack buffer overflow that occurs in the putqpelfallback function when processing crafted media files. The issue manifests as a READ operation of size 2 at an invalid memory location, specifically affecting the motion compensation functionality of the codec. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD Database).

When exploited, this vulnerability can lead to denial of service conditions and potentially allow for the execution of arbitrary code when processing malformed media files. The primary impact is on system availability, as indicated by the CVSS metrics showing high availability impact but no direct effect on confidentiality or integrity (Debian Security).

The vulnerability has been fixed in subsequent releases. For Debian's stable distribution (bullseye), the fix was included in version 1.0.11-0+deb11u1. Users are recommended to upgrade their libde265 packages to the latest version (Debian Security).