CVE-2021-28831: 
NixOS vulnerability analysis and mitigation

CVE-2021-28831 affects BusyBox through version 1.32.1, specifically in the decompressgunzip.c component. The vulnerability was discovered in March 2021 and involves mishandling of the error bit on the huftbuild result pointer when processing gzip data. This vulnerability affects various Linux distributions using BusyBox, including Debian, Fedora, Ubuntu, and Gentoo (NVD, Debian Security).

The vulnerability exists in the decompressgunzip.c file where the code incorrectly handles the error bit on the huftbuild result pointer. When processing malformed gzip data, the huftbuild function sets an error bit on the result pointer, but if abortunzip is subsequently called, huft_free might encounter a segmentation fault or attempt to free an invalid pointer. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a denial of service condition through either an invalid free operation or a segmentation fault when processing malformed gzip data. This could affect system stability and availability when processing compressed files (Gentoo Security).

The vulnerability was fixed in the BusyBox codebase through a patch that properly handles the error bit in the huft_free function. The fix involves checking and clearing the error bit before attempting to free the linked list. Users are advised to upgrade to patched versions of BusyBox. Various distributions have released security updates: Debian 9 (1:1.22.0-19+deb9u2), Fedora (1.32.1-1), and Gentoo (>=1.32.1) (Busybox Commit, Debian LTS).