CVE-2022-38143: 
NixOS vulnerability analysis and mitigation

A heap out-of-bounds write vulnerability (CVE-2022-38143) was discovered in OpenImageIO v2.3.19.0, specifically in how it processes RLE encoded BMP images. The vulnerability was discovered by Cisco Talos and publicly disclosed on December 22, 2022. The affected software versions include OpenImageIO master-branch-9aeece7a and v2.3.19.0 (Talos Report).

The vulnerability exists in the BMP file processing functionality of OpenImageIO. When processing RLE encoded BMP images, the software fails to properly validate the y-coordinate against mspec.height during decompression. While there are checks for the x-coordinate bounds, the lack of y-coordinate validation allows writing to arbitrary out-of-bounds memory locations. The vulnerability has been assigned a CVSSv3 score of 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified as CWE-123 (Write-what-where Condition) ([Talos Report](https://talosintelligence.com/vulnerabilityreports/TALOS-2022-1630)).

The vulnerability can lead to arbitrary code execution when processing specially crafted BMP files. An attacker can exploit this vulnerability by providing a malicious BMP file that triggers an out-of-bounds write condition, potentially allowing them to execute arbitrary code on the affected system (Talos Report).

The vulnerability was patched with the release of a vendor update on November 1, 2022. Users are advised to upgrade to a version newer than v2.3.19.0. The issue was addressed in subsequent releases of OpenImageIO (Talos Report, Gentoo Security).