CVE-2021-3345: 
NixOS vulnerability analysis and mitigation

A critical security vulnerability (CVE-2021-3345) was discovered in Libgcrypt version 1.9.0. The vulnerability is a heap-based buffer overflow in the _gcry_md_block_write function located in cipher/hash-common.c, which occurs when the digest final function sets a large count value (GnuPG Announce, NVD).

The vulnerability is classified as a heap-based buffer overflow (CWE-787) with a CVSS v3.1 base score of 7.8 (HIGH). The attack vector requires local access (AV:L), with low attack complexity (AC:L), requires low privileges (PR:L), no user interaction (UI:N), and can affect confidentiality, integrity, and availability at a high level (C:H/I:H/A:H) (NVD).

A successful exploitation of this vulnerability could allow an attacker to overflow a heap buffer with attacker-controlled data. The vulnerability is exploitable through simple means and can be triggered just by decrypting data, without requiring any verification or signature validation (GnuPG Announce).

The vulnerability was fixed in Libgcrypt version 1.9.1. Users of version 1.9.0 are strongly advised to upgrade immediately to version 1.9.1 or later. Users of the 1.8 LTS branch are not affected by this vulnerability (GnuPG Announce).

The GnuPG Project issued an urgent announcement asking users to stop using Libgcrypt 1.9.0 immediately. The vulnerability was considered severe enough that the 1.9.0 tarballs were renamed on the FTP server to prevent scripts from downloading this version (GnuPG Announce).