CVE-2021-40400: 
NixOS vulnerability analysis and mitigation

An out-of-bounds read vulnerability exists in the RS-274X aperture macro outline primitive functionality of Gerbv 2.7.0 and dev (commit b5f1eacd) and the forked version of Gerbv (commit d7f42a9a). A specially-crafted Gerber file can lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability (Talos Advisory).

The vulnerability exists in the RS-274X aperture macro outline primitive functionality. The issue occurs in the simplify_aperture_macro function where the stack buffer size depends on nuf_push, while the memcpy operation size depends on nuf_parameters. An attacker can set an arbitrary nuf_parameters value from 0 to 102, causing the memcpy to range from 0 to 816 bytes. If nuf_push is smaller than nuf_parameters, this leads to an out-of-bounds read on the s->stack buffer, resulting in data from nearby heap chunks being stored into sam->parameter. The vulnerability has been assigned a CVSS v3.0 score of 9.3 CRITICAL (Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H) (Talos Advisory).

The vulnerability could allow an attacker to extract heap metadata or contents by reading the resulting rendered image. Since sam->parameter is used to draw the shape for the macro being evaluated, this will result in the final drawing having a different shape, coordinate points and rotation, depending on the values stored in the nearby heap chunks. The quality of the information leak depends on the DPI chosen for the operation (Talos Advisory).