CVE-2021-3561: 
NixOS vulnerability analysis and mitigation

A global buffer overflow vulnerability (CVE-2021-3561) was discovered in fig2dev version 3.2.8a. The vulnerability stems from a flawed bounds check in the read_objects() function within fig2dev/read.c. This security flaw affects the fig2dev utility, which is used for converting FIG files into various graphics formats (CVE Details, NVD).

The vulnerability is caused by a global buffer overflow in the read_objects() function located in fig2dev/read.c. When analyzing with AddressSanitizer, the issue was identified as a WRITE operation of size 14 bytes at an invalid memory location, specifically occurring during color definition processing. The vulnerability has a CVSS 3.1 base score of 7.1 (High), with attack vector being Local, attack complexity Low, and requiring user interaction (Ubuntu Security).

The vulnerability can allow an attacker to provide crafted malicious input that could cause the application to crash or potentially lead to memory corruption. The highest threats from this vulnerability are to system integrity and availability. The flaw could potentially be exploited through specially crafted FIG files (CVE Details).

The vulnerability has been fixed in multiple distributions. Fedora released updates for versions 33 and 34 with transfig-3.2.8a-2. Debian provided fixes in version 1:3.2.6a-2+deb9u4 for Debian 9 stretch. Ubuntu has fixed the issue in versions 1:3.2.7a-7ubuntu0.1 for focal and 1:3.2.6a-6ubuntu1.1 for bionic. Users are advised to upgrade to the patched versions (Fedora Update, Debian LTS).