CVE-2021-34555: 
NixOS vulnerability analysis and mitigation

OpenDMARC versions 1.4.1 and 1.4.1.1 contain a vulnerability that was discovered in June 2021. The vulnerability allows remote attackers to cause a denial of service through a NULL pointer dereference and application crash by exploiting a multi-value From header field (NVD).

The vulnerability (CVE-2021-34555) is caused by a NULL pointer dereference in the multi-value From header field handling logic. The issue has a CVSS v3.1 base score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it can be exploited remotely with no privileges required (NVD). The vulnerability is classified as CWE-476 (NULL Pointer Dereference).

When exploited, the vulnerability results in a denial of service condition through application crash. The attack can be triggered remotely by sending specially crafted emails with multi-value From headers, causing the OpenDMARC service to crash (GitHub Issue).

A patch was developed and merged that fixes the broken reject logic when a multi-value From header field is detected and adds a guard against dereferencing of NULL domains. The fix was included in version 1.4.2 of OpenDMARC. Various distributions have also backported the fix to their packages, including Debian and Fedora (GitHub PR, Fedora Update).