CVE-2021-40574: 
NixOS vulnerability analysis and mitigation

The binary MP4Box in Gpac from version 0.9.0-preview to 1.0.1 contains a double-free vulnerability in the gftextgetutf8line function located in load_text.c. This vulnerability was discovered in August 2021 and affects the text processing functionality of the software (NVD, Debian Advisory).

The vulnerability exists in the gftextgetutf8line function within load_text.c, where a buffer overflow condition can lead to a double-free scenario. The issue was identified with a CVSS v3.1 Base Score of 7.8 (HIGH), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability specifically affects the text processing functionality when handling UTF-8 encoded text files (NVD).

If successfully exploited, this vulnerability can allow attackers to cause a denial of service condition, and potentially achieve code execution and escalation of privileges. The vulnerability affects the core functionality of the MP4Box binary, which is a critical component of the Gpac framework (NVD).

The vulnerability has been fixed in subsequent releases of Gpac. For Debian systems, the fix is available in version 1.0.1+dfsg1-4+deb11u2. Users are recommended to upgrade to the patched version. The fix involved adjusting buffer sizes in the affected function (Debian Advisory, GitHub Patch).