CVE-2020-0034: 
NixOS vulnerability analysis and mitigation

CVE-2020-0034 is a security vulnerability discovered in the vp8_decode_frame function of decodeframe.c within the libvpx library. The vulnerability was disclosed on March 10, 2020, affecting Android versions 8.0 and 8.1, as well as various Linux distributions using the libvpx library. This vulnerability is characterized by an out-of-bounds read issue that occurs due to improper input validation (CVE Mitre, Ubuntu Security).

The vulnerability exists in the vp8_decode_frame function of decodeframe.c, where an out-of-bounds buffer read can occur when processing truncated key frames. The issue has been assigned a CVSS 3.1 base score of 7.5 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability can be exploited remotely with no required privileges or user interaction (Ubuntu Security).

If exploited, this vulnerability could lead to remote information disclosure, particularly when error correction is enabled. The vulnerability affects the confidentiality of the system but does not impact integrity or availability. The high CVSS score reflects the potential for unauthorized access to sensitive information without requiring special privileges or user interaction (Ubuntu Security).

Multiple vendors have released patches to address this vulnerability. Ubuntu has provided fixes for affected versions, particularly for Ubuntu 16.04 LTS (version 1.5.0-2ubuntu1.1+esm1) and Ubuntu 14.04 LTS (version 1.3.0-2ubuntu0.1~esm2). OpenSUSE has released security updates for Leap 15.1, and Debian has addressed the issue in version 1.6.1-3+deb9u3 for Debian 9 stretch (Debian LTS, OpenSUSE Security).