CVE-2021-29946: 
NixOS vulnerability analysis and mitigation

CVE-2021-29946 is a security vulnerability discovered in Mozilla Firefox and related products that affects port blocking functionality. The vulnerability was disclosed on April 19, 2021, and affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. The issue allows ports written as an integer overflow above the bounds of a 16-bit integer to bypass port blocking restrictions when used in the Alt-Svc header (Mozilla Advisory, NVD).

The vulnerability stems from an implementation flaw in how port numbers are handled. When processing the Alt-Svc header, the system parses port numbers as 32-bit integers without properly checking if they fall within the valid 16-bit port range. This integer overflow condition could allow bypassing of port blocking restrictions. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability could allow attackers to bypass port blocking restrictions, potentially enabling access to normally restricted ports. The impact is rated as 'low' in Mozilla's assessment, though the secondary effects could be more severe in busy network environments, particularly in enterprise scenarios (Mozilla Advisory).

The vulnerability was fixed in Firefox 88, Firefox ESR 78.10, and Thunderbird 78.10. The fix involves implementing proper port range validation to ensure port numbers don't exceed 16-bit integer bounds. Users are advised to upgrade to these or later versions to mitigate the vulnerability (Mozilla Advisory, Mozilla Advisory ESR).