CVE-2021-23159: 
NixOS vulnerability analysis and mitigation

A heap buffer overflow vulnerability (CVE-2021-23159) was discovered in SoX (Sound eXchange) software, specifically in the lsxreadwbuf() function within the formatsi.c file. The vulnerability was reported on June 24, 2021, and affects various versions of the SoX package across multiple Linux distributions (MITRE, Ubuntu).

The vulnerability is identified as a heap-based buffer overflow occurring in the lsxreadwbuf() function at line 376 of formatsi.c. According to the CVSS 3.1 scoring system, it has received a medium severity rating of 5.5. The attack vector is local, with low attack complexity, requiring no privileges but user interaction. The scope is unchanged, with no impact on confidentiality or integrity, but high impact on availability (Ubuntu).

When successfully exploited, this vulnerability could cause the application to crash through a specially crafted file, potentially leading to a denial of service condition. The impact is primarily focused on availability, with no direct effects on system confidentiality or integrity (MITRE, Debian).

Multiple Linux distributions have released fixes for this vulnerability. Ubuntu has patched various versions including 22.04 LTS (jammy), 20.04 LTS (focal), and 18.04 LTS (bionic). Debian has also released fixes in versions 14.4.2+git20190427-2+deb11u2 for bullseye and 14.4.2+git20190427-3.5 for bookworm (Ubuntu, Debian).