CVE-2021-38380: 
NixOS vulnerability analysis and mitigation

Live555 through version 1.08 contains a vulnerability where mishandling of huge requests for the same MP3 stream leads to recursion and a stack-based buffer over-read. The vulnerability was discovered and disclosed in August 2021, affecting all versions of Live555 up to and including version 1.08 (NVD).

The vulnerability occurs in the MP3FileSource implementation when attempting to synchronously read from an MP3 file. The issue specifically involves a recursive call to doEventLoop() when processing multiple concurrent requests, which can lead to a stack overflow condition in the RTSP server. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can be leveraged by attackers to launch a Denial of Service (DoS) attack against the affected system. The attack specifically impacts the server's ability to handle MP3 stream requests, potentially making the service unavailable to legitimate users (Live555 Changelog).

The vulnerability was fixed in the August 4, 2021 release of Live555. The fix involved modifying the MP3FileSource implementation to eliminate recursive calls to doEventLoop() when attempting to synchronously read from an MP3 file. Users are advised to upgrade to versions after 2021.08.04 to mitigate this vulnerability (Live555 Changelog).