CVE-2022-31003: 
NixOS vulnerability analysis and mitigation

CVE-2022-31003 is a heap buffer overflow vulnerability discovered in Sofia-SIP, an open-source Session Initiation Protocol (SIP) User-Agent library. The vulnerability was disclosed on May 31, 2022, affecting versions prior to 1.13.8. The issue occurs in the SDP message parsing functionality (GitHub Advisory).

The vulnerability exists in the SDP message parsing functionality where rest = record + 2 will access the memory behind \0 and cause an out-of-bounds write. This occurs when parsing each line of an SDP message, specifically when handling the last line termination. The issue has been assigned CWE-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-bounds Write) classifications (NVD CNA Status).

An attacker can exploit this vulnerability by sending a specially crafted SDP message to systems using Sofia-SIP, potentially causing a system crash or, in more severe cases, achieving remote code execution (GitHub Advisory, Gentoo Security).

The vulnerability has been fixed in Sofia-SIP version 1.13.8. Users are strongly recommended to upgrade to this version or later. The fix includes additional length checks before processing SDP messages (GitHub Commit).

Multiple Linux distributions have issued security advisories and patches for this vulnerability, including Debian, Ubuntu, and Gentoo. Debian classified this as a high-severity issue and released updates through DLA-3091-1 (Debian LTS).