CVE-2021-32493: 
NixOS vulnerability analysis and mitigation

A heap buffer overflow vulnerability was discovered in djvulibre version 3.5.28 and earlier versions. The vulnerability exists in the DJVU::GBitmap::decode() function and can be triggered via a crafted djvu file. This vulnerability was assigned CVE-2021-32493 and was first reported on March 26, 2021 (RedHat Bug).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-787 (Out-of-bounds Write) and CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). The attack requires local access and user interaction, but no privileges are required to exploit it (NVD).

If successfully exploited, this vulnerability could lead to application crashes and potentially allow for arbitrary code execution through crafted DjVu files. The vulnerability affects the confidentiality, integrity, and availability of the system, with all three aspects rated as High in the CVSS scoring (Debian Advisory).

Multiple Linux distributions have released patches to address this vulnerability. Debian has fixed the issue in version 3.5.28-2 for the stable distribution (bullseye) and version 3.5.27.1-10+deb10u1 for the oldstable distribution (buster). Ubuntu has also released fixes across multiple versions: 3.5.28-1ubuntu0.1 for 21.04, 3.5.27.1-15ubuntu0.1 for 20.10, and 3.5.27.1-14ubuntu0.1 for 20.04 LTS (Ubuntu Security).