CVE-2019-14875: 
NixOS vulnerability analysis and mitigation

CVE-2019-14875 affects the __multiply function in the newlib libc library, versions prior to 3.3.0. The vulnerability stems from the improper handling of memory allocation verification in the newlib/libc/stdlib/mprec.c file. The issue was discovered and reported by Dimitrios Glynos, and was officially patched in version 3.3.0 (Census Labs).

The vulnerability is classified as a NULL Pointer Dereference (CWE-476) with a CVSS v3.1 base score of 6.5 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The issue occurs when Balloc is used to allocate a big integer in the __multiply function, but no verification is performed to check if the allocation succeeded. This leads to an unsafe access pattern where _x[0] is accessed without proper NULL pointer checking (NVD).

When exploited, this vulnerability can trigger a null pointer dereference bug in case of a memory allocation failure. On embedded systems where the Device Vector Table is mapped at address 0x0, this could potentially lead to leaking interrupt handler addresses, overwriting interrupt handlers, or diverting program execution to installed interrupt handlers (Census Labs).

Users are strongly advised to update to newlib version 3.3.0 or later, which includes patches addressing this vulnerability. When building the library, it's recommended to enable the newlib-reent-check-verify 'configure' option. Library authors are recommended to always implement checks for NULL return values from memory allocators (Census Labs).