CVE-2021-22204: 
NixOS vulnerability analysis and mitigation

CVE-2021-22204 is a vulnerability discovered in ExifTool versions 7.44 and up through 12.23, affecting the DjVu file format module. The vulnerability was disclosed in April 2021 and involves improper neutralization of user data when parsing malicious images, which could lead to arbitrary code execution (NVD, OSS Security).

The vulnerability stems from a bug in the DjVu module's string parsing mechanism. The issue specifically relates to how the code determines string endings using regex patterns, where '$' matches both the end of string and before trailing newlines, instead of using '\z' to match only the end of string. This implementation flaw allows for code injection through maliciously crafted DjVu files (OSS Security). The vulnerability has been assigned a CVSS 3.1 base score of 7.8 (High), with attack vector being local, low attack complexity, no privileges required, and user interaction required (Ubuntu).

The vulnerability allows attackers to execute arbitrary code when a malicious image is processed by ExifTool. The impact is rated as high for confidentiality, integrity, and availability. The vulnerability can be triggered through various valid file formats that utilize the DjVu module (OSS Security, Ubuntu).

The vulnerability was fixed in ExifTool version 12.24. The fix involved removing the problematic eval() implementation rather than fine-tuning the regex pattern. Major Linux distributions have released security updates, including Debian (versions 10.40-1+deb9u1 for Stretch and 11.16-1+deb10u1 for Buster), Ubuntu, and Fedora (Debian Security, Fedora Update).