CVE-2022-41794: 
NixOS vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability (CVE-2022-41794) was discovered in the PSD thumbnail resource parsing code of OpenImageIO 2.3.19.0. The vulnerability was disclosed on December 22, 2022, affecting OpenImageIO versions master-branch-9aeece7a and v2.3.19.0. This vulnerability allows an attacker to achieve arbitrary code execution by providing a specially-crafted PSD file (Talos Report).

The vulnerability exists in the PSD thumbnail resource parsing code where there is no validation on the width variable between its read from the file and its use in the getpixels call. The vulnerability is classified as CWE-122 (Heap-based Buffer Overflow) and has received a CVSSv3 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity. The issue occurs when processing PSD files, particularly in the thumbnail resource handling functionality ([Talos Report](https://talosintelligence.com/vulnerabilityreports/TALOS-2022-1626)).

The vulnerability can lead to arbitrary code execution when processing maliciously crafted PSD files. This could allow attackers to execute arbitrary code with the privileges of the application processing the image. The high CVSS score of 9.8 indicates critical severity with potential for complete system compromise (Talos Report).

The vulnerability has been addressed in subsequent releases. Users are advised to upgrade to patched versions. Debian has released security updates (DSA-5384-1) for the stable distribution (bullseye) fixing this issue in version 2.2.10.1+dfsg-1+deb11u1. Gentoo users should upgrade to version 2.4.6.0 or later (Debian Advisory, Gentoo Advisory).