CVE-2021-21838: 
NixOS vulnerability analysis and mitigation

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability. The vulnerability was discovered in August 2021 and affects GPAC Project Advanced Content v1.0.1 (Talos Report).

The vulnerability occurs in the MPEG-4 decoding functionality when parsing atoms within an MPEG-4 container. The library reads fields from the atom's contents to calculate buffer sizes but fails to properly validate these values, leading to integer overflows. This results in undersized heap allocations being made. When the library later attempts to read the atom's contents into these undersized buffers, it causes heap-based buffer overflows. The vulnerability has been assigned a CVSS v3.0 score of 8.8 (HIGH) with vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and is classified as CWE-680 (Integer Overflow to Buffer Overflow) (Talos Report).

A successful exploit could allow an attacker to achieve code execution under the context of the library when a user opens a specially crafted video file. This could lead to unauthorized access, information disclosure, and system compromise (Talos Report).

The vulnerability has been fixed in updated versions of the software. Debian has released security updates to address this issue in version 1.0.1+dfsg1-4+deb11u1 for the bullseye distribution. The oldstable distribution (buster) is not affected by this vulnerability (Debian Advisory).