CVE-2021-40403: 
NixOS vulnerability analysis and mitigation

An information disclosure vulnerability (CVE-2021-40403) exists in the pick-and-place rotation parsing functionality of Gerbv 2.7.0 and dev (commit b5f1eacd), and Gerbv forked 2.8.0. A specially-crafted pick-and-place file can exploit the missing initialization of a structure to leak memory contents (Talos Report).

The vulnerability stems from an uninitialized PnpPartData structure in the pick-and-place file parsing functionality. When parsing the rotation field from a pick-and-place file, the sscanf function may fail if provided with an empty string or non-numeric input, leaving the rotation value uninitialized. This uninitialized value is then used in subsequent calculations, potentially exposing stack memory contents. The vulnerability has been assigned a CVSS v3.0 base score of 5.8 (Medium) with vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N (Talos Report).

An attacker able to read the resulting rendered image might be able to extract limited memory contents by analyzing the object rotation in the rendered image. This could lead to information disclosure of sensitive data from the process memory (Talos Report).

The vulnerability has been addressed in various distributions. Debian has fixed these issues in version 2.7.0-2+deb11u2 for the stable distribution (bullseye) (Debian Advisory). Fedora 36 has released version 2.8.2-1.fc36 containing security fixes (Fedora Update).