CVE-2022-0137: 
NixOS vulnerability analysis and mitigation

A heap buffer overflow vulnerability was discovered in HTMLDOC before version 1.9.15, specifically in the imagesetmask function. The vulnerability was assigned CVE-2022-0137 and was disclosed on January 6, 2022. This security flaw affects the HTMLDOC software package, which is an HTML processor that generates indexed HTML, PS, and PDF documents (CVE Details, Ubuntu Security).

The vulnerability occurs in the imagesetmask function where an attacker can write outside the buffer boundaries. The issue stems from improper handling of img->mask buffer allocation and manipulation. The buffer overflow happens because img->width and img->height values are changed after the initial buffer allocation, potentially leading to out-of-bounds access in the operation: maskptr = img->mask + y * img->maskwidth + x / 8 (GitHub Issue). The vulnerability has a CVSS 3.1 Base Score of 5.5 (Medium), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (Ubuntu Security).

If exploited, this vulnerability could allow an attacker to cause a denial of service or potentially execute arbitrary code. The impact primarily affects the availability of the system, with no direct impact on confidentiality or integrity (Ubuntu Security Notice).

The vulnerability was fixed in HTMLDOC version 1.9.15. Various Linux distributions have released patched versions: Ubuntu 20.04 LTS (1.9.7-1ubuntu0.3+esm2), Ubuntu 18.04 LTS (1.9.2-1ubuntu0.2+esm2), and Ubuntu 16.04 LTS (1.8.27-8ubuntu1.1+esm3). Users are advised to update their HTMLDOC installations to the latest version (Ubuntu Security Notice).