CVE-2021-33896: 
NixOS vulnerability analysis and mitigation

CVE-2021-33896 is a directory traversal vulnerability discovered in Dino, a modern XMPP instant messenger. The vulnerability affects Dino versions before 0.1.2 and 0.2.x before 0.2.1, and was disclosed on June 7, 2021. The vulnerability was discovered by CTurt from Google (Dino Security).

The vulnerability allows directory traversal through URI-encoded path separators in file names during file transfers. When a user receives and downloads a file, the URI-encoded path separators in the filename are decoded, enabling directory traversal and creation of arbitrary files in the user's context. The vulnerability has a CVSS score of 4.7 (Medium) with the following vector: AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N. While the path separators are displayed to the user, attackers can hide them by using long filenames that get ellipsized in the middle (OSS Security).

The vulnerability allows attackers to create arbitrary files in the context of the user. While it does not permit overwriting or modifying existing files, nor control over executable flags, it could potentially lead to code execution through the creation of malicious configuration files that might affect third-party software (Dino Security).

Users should upgrade to the fixed versions: Release version 0.2.1, Release version 0.1.2, or Nightly version 0.2.0~git114.20210607.0c8d25b7. Alternatively, administrators can apply the patch from commit 0c8d25b7a3e7a10a506f1e19b868fe9b0c761495 (Dino Security).