CVE-2021-21860: 
NixOS vulnerability analysis and mitigation

CVE-2021-21860 is an exploitable integer truncation vulnerability discovered in the MPEG-4 decoding functionality of GPAC Project Advanced Content library v1.0.1. The vulnerability was disclosed on August 16, 2021. When processing the 'trik' FOURCC code in the MPEG-4 container format, the library performs an integer truncation that can lead to an undersized buffer allocation (Talos Report).

The vulnerability occurs in the trik_box_read function when processing MPEG-4 containers. The function truncates a 64-bit atom size to 32-bits and uses it to calculate a buffer size by multiplying it with the size of GF_TrickPlayBoxEntry structure. This multiplication can result in an integer overflow, leading to an undersized allocation. When the function subsequently reads data into this buffer, it causes a heap-based buffer overflow. The vulnerability has a CVSS v3.0 score of 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (Talos Report).

A successful exploitation of this vulnerability could result in memory corruption and potentially lead to arbitrary code execution under the context of the library. An attacker can trigger this vulnerability by convincing a user to open a specially crafted video file (Talos Report).

The vulnerability has been fixed in subsequent releases. Users should upgrade to patched versions of the software. For Debian systems, the fix was included in version 1.0.1+dfsg1-4+deb11u1 for the bullseye distribution (Debian Advisory).