CVE-2021-33361: 
NixOS vulnerability analysis and mitigation

Memory leak in the afra_box_read function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file. The vulnerability was discovered in May 2021 and assigned CVE-2021-33361. This security flaw affects GPAC multimedia framework version 1.0.1 (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. This indicates that the vulnerability requires local access and user interaction to exploit, but can result in high confidentiality impact without affecting integrity or availability. The issue is classified as CWE-401: Missing Release of Memory after Effective Lifetime (NVD).

The vulnerability allows attackers to read memory through a crafted file, potentially exposing sensitive information. The confidentiality impact is rated as high, though there are no direct impacts on system integrity or availability (NVD).

A fix for this vulnerability was released in the Debian security update DSA-5411-1. For the Debian stable distribution (bullseye), the issue has been fixed in version 1.0.1+dfsg1-4+deb11u2. Users are recommended to upgrade their gpac packages to the patched version (Debian Security). The fix has also been implemented in the GPAC repository through commit a51f951 (GPAC Commit).