CVE-2022-24130: 
NixOS vulnerability analysis and mitigation

CVE-2022-24130 affects xterm through Patch 370, when Sixel support is enabled. The vulnerability was discovered on January 30, 2022, and allows attackers to trigger a buffer overflow in setsixel function within graphicssixel.c via crafted text. The vulnerability affects multiple versions of xterm across various Linux distributions including Debian, Fedora, and Gentoo (Debian LTS, Fedora Update, Gentoo GLSA).

The vulnerability occurs in the setsixel function within graphicssixel.c when processing Sixel graphics data. The issue allows for an invalid write of size 2 that can lead to memory corruption. The bug was discovered when a corrupted sixel input caused the program to attempt writing to an invalid memory address (0xFFFFFFFF0941EFB8). The vulnerability can be triggered by crafting specific Sixel input sequences that cause context->col to wrap, resulting in out-of-bounds writes to graphic->pixels (OSS Security, OSS Security POC).

When successfully exploited, this vulnerability can result in denial of service through program crashes. The buffer overflow could potentially lead to memory corruption and program termination with a SIGSEGV signal (Gentoo GLSA, OSS Security).

The vulnerability has been fixed in subsequent versions of xterm. Users are advised to upgrade to xterm versions >= 371 for Gentoo, version 327-2+deb9u2 for Debian 9 stretch, and version 370-3 for Fedora. If immediate upgrading is not possible, users can disable Sixel support as a temporary workaround (Gentoo GLSA, Debian LTS, Fedora Update).

The vulnerability was initially discovered by Nick Black while working on Notcurses bug #2573. It was promptly reported to Thomas Dickey, the maintainer of xterm. The discovery was first shared on Twitter and then formally reported through the oss-security mailing list (OSS Security).