CVE-2021-3475: 
NixOS vulnerability analysis and mitigation

OpenEXR versions before 3.0.0-beta contain a flaw where an attacker who can submit a crafted file to be processed by OpenEXR could cause an integer overflow. The vulnerability was discovered in March 2021 and is tracked as CVE-2021-3475. The issue affects the OpenEXR image format processing library, which is commonly used in computer imaging applications (NVD, CVE).

The vulnerability is an integer overflow that occurs in the calculateNumTiles() function of OpenEXR/IlmImf/ImfTiledMisc.cpp when size=MAXINT. The flaw was addressed by using a 64-bit integer type to hold the return value of levelSize() function. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L ([Red Hat Bugzilla](https://bugzilla.redhat.com/showbug.cgi?id=1939144)).

If exploited, this vulnerability could potentially lead to problems with application availability through denial of service. The integer overflow could result in application crashes and service disruption when processing specially crafted EXR image files (NVD).

The vulnerability was fixed in OpenEXR versions 3.0.0-beta, 2.5.4, and 2.4.3. Users are advised to upgrade to these or later versions. The fix was implemented through a patch that modifies the integer type used in the calculateNumTiles() function (Red Hat Bugzilla).