CVE-2020-5235: 
NixOS vulnerability analysis and mitigation

CVE-2020-5235 is a vulnerability affecting nanopb library when compiled with PB_ENABLE_MALLOC. The issue was discovered and disclosed on February 2, 2020, affecting all versions since nanopb-0.2.7 up to versions 0.4.1, 0.3.9.5, and 0.2.9.4. The vulnerability occurs when processing messages containing repeated string, bytes, or message fields (GitHub Advisory).

The vulnerability occurs when nanopb attempts to expand an array using realloc() during message decoding. If realloc() fails due to out-of-memory conditions, the library may end up calling free() on a pointer value that comes from uninitialized memory. This issue specifically affects the message decoding process when handling repeated fields (GitHub Advisory).

The vulnerability can result in a system crash or memory corruption, which could potentially be exploitable in certain cases. The severity of this issue is rated as Moderate, as the exploitation requires specific conditions including memory exhaustion (GitHub Advisory).

The issue has been patched in nanopb versions 0.4.1, 0.3.9.5, and 0.2.9.4. As a workaround, users can limit input message length to prevent system memory exhaustion. The exact length limit depends on the message type being used. Patches are available in git commits 45582f1 (0.4 series), aa9d0d1 (0.3 series), and 7b39682 (0.2 series) (GitHub Advisory).