CVE-2021-21859: 
NixOS vulnerability analysis and mitigation

An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. The vulnerability is specifically in the striboxread function when processing atoms using the 'stri' FOURCC code. The vulnerability was discovered and disclosed in August 2021 (Talos Intelligence).

The vulnerability occurs in the striboxread function when processing MPEG-4 atoms. The function takes a 64-bit atom size and divides it by four to determine the number of attributes. When allocating memory for these attributes, an integer overflow can occur, resulting in a zero-sized allocation. The function then attempts to write into this undersized buffer, causing a heap-based buffer overflow and memory corruption. The vulnerability has been assigned a CVSSv3 score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (Talos Intelligence).

If successfully exploited, this vulnerability could lead to memory corruption and potentially allow for arbitrary code execution under the context of the application. An attacker can trigger this vulnerability by convincing a user to open a specially crafted video file (NVD).

The vulnerability has been fixed in GPAC version 1.0.1+dfsg1-4+deb11u1 for Debian's stable distribution (bullseye). Users are encouraged to upgrade their GPAC installations to the latest version. The oldstable distribution (buster) is not affected by this vulnerability (Debian Security).