CVE-2021-45930: 
NixOS vulnerability analysis and mitigation

Qt SVG in Qt versions 5.0.0 through 5.15.2 and 6.0.0 through 6.2.1 contains a vulnerability involving an out-of-bounds write in QtPrivate::QCommonArrayOps::growAppend function, which is called from QPainterPath::addPath and QPathClipper::intersect. The vulnerability was discovered and disclosed in December 2021 (NVD).

The vulnerability is classified as an out-of-bounds write (CWE-787) with a CVSS v3.1 base score of 5.5 (Medium). The attack requires local access and user interaction, but no privileges. The vulnerability affects the SVG handling component of Qt, specifically in the path parsing functionality. The issue occurs during the processing of SVG path elements when the QtPrivate::QCommonArrayOps::growAppend function is called (NVD, OSS-Fuzz).

The vulnerability primarily affects application availability, with no direct impact on confidentiality or integrity. When exploited, it can lead to application crashes or potential denial of service conditions. The vulnerability requires user interaction, specifically the processing of a specially crafted SVG file (NVD).

Multiple patches have been released to address this vulnerability. The fix implements stricter error checking when parsing path nodes and limits the number of QPainterPath elements to a reasonable range. Various distributions have released security updates, including Debian and Fedora. For Debian 9 stretch, the fix was included in version 5.7.1~20161021-2.1+deb9u1 of qtsvg-opensource-src (Debian LTS, Qt Commit).