CVE-2021-32490: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2021-32490) was discovered in djvulibre version 3.5.28 and earlier versions. The flaw was reported on March 26, 2021, and involves an out-of-bounds write vulnerability in the DJVU::filterbv() function. The vulnerability affects the DjVu document format handling library and its associated tools ([RedHat Bug](https://bugzilla.redhat.com/showbug.cgi?id=1943693), Debian Advisory).

The vulnerability is classified as an Out-of-bounds Write (CWE-787) with a CVSS v3.1 base score of 7.8 (HIGH). The attack vector is local (AV:L), requiring low attack complexity (AC:L) with no privileges required (PR:N) but user interaction (UI:R). The scope is unchanged (S:U) with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) (NVD).

The exploitation of this vulnerability through a crafted DjVu file can lead to application crashes and potentially other severe consequences. The high CVSS score indicates significant potential impact on system confidentiality, integrity, and availability (NVD, Debian Advisory).

Fixed versions have been released for various distributions. Debian has addressed this in version 3.5.27.1-10+deb10u1 for the oldstable distribution (buster) and version 3.5.28-2 for the stable distribution (bullseye). Users are recommended to upgrade their djvulibre packages to these patched versions (Debian Advisory).

The vulnerability was discovered and reported by 1vanChen from the NSFOCUS Security Team (RedHat Bug).