CVE-2021-3941: 
NixOS vulnerability analysis and mitigation

CVE-2021-3941 is a vulnerability discovered in OpenEXR, affecting the ImfChromaticities.cpp routine RGBtoXYZ(). The vulnerability was identified in 2021 and involves a divide-by-zero condition that could be triggered by specially crafted files. The flaw affects programs linked with OpenEXR, a high-dynamic-range floating-point image file format library (CVE Mitre, Red Hat Bugzilla).

The vulnerability exists in the RGBtoXYZ() function within ImfChromaticities.cpp, where division operations such as float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y and chroma.green.y * (X + Z))) / d are performed without checking if the divisor could be zero. This oversight in input validation could lead to a divide-by-zero condition (CVE Mitre).

When exploited, this vulnerability could affect the availability of programs linked with OpenEXR by triggering a divide-by-zero condition, potentially leading to application crashes (Debian Security, Ubuntu Security).

The vulnerability has been fixed in OpenEXR version 3.1.2 and later releases. Various Linux distributions have released security updates to address this issue, including Debian (version 2.5.4-2+deb11u1), Fedora (version 3.1.4-1.fc36), and Gentoo (version >= 3.1.5) (Debian Security, Fedora Update, Gentoo Security).