CVE-2021-45942: 
NixOS vulnerability analysis and mitigation

CVE-2021-45942 affects OpenEXR versions 3.1.x before 3.1.4, where a heap-based buffer overflow vulnerability exists in Imf31::LineCompositeTask::execute function (called from IlmThread31::NullThreadPoolProvider::addTask and IlmThread31::ThreadPool::addGlobalTask) (NVD, OSS-Fuzz). The vulnerability was discovered on November 27, 2021, and was fixed in OpenEXR version 3.1.4 released on January 26, 2022.

The vulnerability is a heap-based buffer overflow that occurs in the LineCompositeTask::execute function of OpenEXR. The issue specifically relates to the handling of xSampling and ySampling parameters in the CompositeDeepScanLine functionality. The vulnerability has a CVSS v3.1 Base Score of 5.5 (Medium) with vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD).

The heap-based buffer overflow vulnerability could lead to a denial of service (application crash) if a malformed image file is processed (Debian). The vulnerability affects the availability of the system while confidentiality and integrity remain uncompromised.

The vulnerability was fixed in OpenEXR version 3.1.4. The fix involves enforcing xSampling and ySampling parameters to be set to 1 in CompositeDeepScanLine (GitHub). Users are recommended to upgrade to OpenEXR version 3.1.4 or later. Various Linux distributions have also released security updates to address this vulnerability, including Debian, Fedora, and Gentoo.