CVE-2021-3630: 
NixOS vulnerability analysis and mitigation

An out-of-bounds write vulnerability (CVE-2021-3630) was discovered in DjVuLibre's DJVU::DjVuTXT::decode() function in DjVuText.cpp. The vulnerability affects DjVuLibre versions prior to 3.5.28 and was disclosed on June 30, 2021. The issue can be triggered via a crafted djvu file which may lead to crash and segmentation fault (NVD, RedHat Bugzilla).

The vulnerability is classified as an out-of-bounds write (CWE-787) with a CVSS v3.1 Base Score of 5.5 (Medium) and vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The CVSS v2.0 Base Score is 4.3 (Medium) with vector (AV:N/AC:M/Au:N/C:N/I:N/A:P) (NVD).

When exploited, this vulnerability can cause the application to crash and result in a segmentation fault. The impact is primarily focused on availability, with no direct impact on confidentiality or integrity (NVD).

The vulnerability has been fixed in DjVuLibre version 3.5.28. Various distributions have released security updates: Debian 9 (stretch) fixed in version 3.5.27.1-7+deb9u2, Debian 10 (buster) fixed in version 3.5.27.1-10+deb10u1, and Debian 11 (bullseye) fixed in version 3.5.28-2. Fedora has also released updates for affected versions (Debian Security, Debian LTS).