CVE-2022-39047: 
NixOS vulnerability analysis and mitigation

CVE-2022-39047 is a buffer overflow vulnerability affecting Freeciv versions before 2.6.7 and before 3.0.3. The vulnerability was discovered in the Modpack Installer utility's handling of modpack URLs and was disclosed on August 5, 2022. The affected component is the Modpack Installer utility in Freeciv, a free and open-source civilization-building game (NVD, OSS Security).

The vulnerability occurs when processing specially crafted URLs without any '/' characters in the Modpack Installer utility. This results in an underflowing length calculation of (unsigned)(-1) string copy, causing all of the NULL-terminated string given as 'URL' to be written beyond the buffer reserved for it. The vulnerability has been assigned a CVSS score of 9.0, indicating high severity (Rapid7, OSS Security).

When successfully exploited, this buffer overflow vulnerability could potentially lead to arbitrary code execution or system crashes, as it allows writing beyond the allocated buffer space. The high CVSS score of 9.0 indicates potential complete compromise of confidentiality, integrity, and availability of the affected system (Rapid7).

The vulnerability has been fixed in Freeciv versions 2.6.7 and 3.0.3. Users are advised to upgrade to these versions or later. For those unable to perform a full version update immediately, a patch for earlier versions is available through the Freeciv bug tracker. Source tarballs for the fixed versions are available from the official Freeciv download page (OSS Security, Freeciv Ticket).