CVE-2021-45429: 
NixOS vulnerability analysis and mitigation

A Buffer Overflow vulnerability was discovered in VirusTotal YARA (CVE-2021-45429), affecting versions up to 4.1.3. The vulnerability exists in the yrsetconfiguration function within yara/libyara/libyara.c, which was introduced in git commit 605b2edf07ed8eb9a2c61ba22eb2e7c362f47ba7. This security issue was disclosed on February 4, 2022 (NVD).

The vulnerability stems from improper pointer conversion in the yrsetconfiguration() function. When handling the YRCONFIGMAXPROCESSMEMORYCHUNK configuration case, the function incorrectly treats a void* pointer as a uint64t* pointer, leading to a 64-bit read from a 32-bit variable. This results in a global buffer overflow condition. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD, GitHub Issue).

The primary impact of this vulnerability is the potential for Denial of Service (DoS). When exploited, an attacker who gains control of the memory chunk's adjacent bytes could manipulate the higher 32 bits of the configuration value to arbitrary values, potentially leading to exhaustive attacks (GitHub Issue).

The vulnerability has been fixed in YARA version 4.2.0-rc1 and later releases. Users are advised to upgrade to a patched version. For Ubuntu 22.04 LTS users, fixes are available in version 4.1.3-1ubuntu0.1~esm1 through Ubuntu Pro (Ubuntu Security).