CVE-2021-21847: 
NixOS vulnerability analysis and mitigation

A critical vulnerability (CVE-2021-21847) was discovered in the GPAC Project on Advanced Content library v1.0.1. The vulnerability exists within the MPEG-4 decoding functionality, specifically in the "stts" decoder. When processing a specially crafted MPEG-4 input, an integer overflow can occur due to unchecked arithmetic operations, resulting in a heap-based buffer overflow that causes memory corruption. This vulnerability was disclosed on August 16, 2021 (Talos Report).

The vulnerability is caused by an integer overflow in the "stts" decoder component of the GPAC library. When processing MPEG-4 content, the library performs arithmetic operations without proper boundary checks, which can lead to a heap-based buffer overflow. The vulnerability has been assigned a CVSSv3 score of 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity with potential for remote exploitation requiring user interaction (Talos Report).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code under the context of the library. The attacker could achieve this by convincing a user to open a specially crafted video file, potentially leading to complete system compromise with the same privileges as the application using the GPAC library (Talos Report).

The vulnerability has been addressed in subsequent versions of the GPAC library. Users of affected versions should upgrade to a patched version. For Debian systems, the fix has been included in version 1.0.1+dfsg1-4+deb11u1 for the bullseye distribution (Debian Advisory).