CVE-2021-38172: 
NixOS vulnerability analysis and mitigation

perM 0.4.0 contains a Buffer Overflow vulnerability related to strncpy functionality. The vulnerability was discovered in August 2021 and was initially fixed in version 0.4.0-7 by Debian. The affected software is the perM package, which is an efficient mapping tool for short reads with periodic spaced seeds (Debian Bug, Debian Med).

The vulnerability is classified as a classic buffer overflow (CWE-120) with a CVSS v3.1 Base Score of 9.8 (CRITICAL) and vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue was discovered when enabling hardening options, particularly -D_FORTIFY_SOURCE=2, which revealed buffer overflow errors in several instances of strcpy and sprintf functions (Debian Med).

The vulnerability could allow attackers to cause buffer overflows, potentially leading to program crashes and arbitrary code execution. The high CVSS score of 9.8 indicates critical severity with potential for complete compromise of system confidentiality, integrity, and availability (NVD).

The vulnerability was fixed in version 0.4.0-7 of the perM package through a patch that addresses the buffer overflow issues. The fix involved proper buffer size handling and replacement of unsafe string functions. However, it's worth noting that the upstream project appears to be inactive, with no response from the original developers (Debian Bug).