CVE-2021-20205: 
NixOS vulnerability analysis and mitigation

CVE-2021-20205 affects Libjpeg-turbo versions 2.0.91 and 2.0.90, specifically related to a denial of service vulnerability. The vulnerability is caused by a divide by zero condition when processing a crafted GIF image. The issue was discovered in March 2021 and was assigned a CVSS v3.1 base score of 6.5 (Medium severity) (NVD).

The vulnerability is classified as CWE-369 (Divide By Zero) and has a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The issue specifically affects the cjpeg utility application, which is used to demonstrate the usage of the libjpeg API library. Importantly, the vulnerability was confined to the cjpeg application and did not affect the core library itself (RedHat Bugzilla).

The vulnerability's impact is limited to denial of service through application crash when processing specially crafted GIF images. It's worth noting that this only affects the cjpeg demonstration utility and not the core library functionality, meaning other applications using the library were not impacted (RedHat Bugzilla).

The vulnerability was fixed in libjpeg-turbo 2.1. For affected systems, updates were released through various distribution channels. Fedora released security updates (version 2.0.90-2.fc34) to address the vulnerability (Fedora Update).