CVE-2022-42011: 
NixOS vulnerability analysis and mitigation

CVE-2022-42011 is a vulnerability discovered in D-Bus (versions before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2). The vulnerability was introduced as a regression in version 1.3.0 and was fixed in October 2022. This security flaw affects the dbus-daemon and other programs that utilize libdbus (CVE Mitre, NVD).

The vulnerability occurs when receiving a message where an array length is inconsistent with the size of the element type. Specifically, an invalid array of fixed-length elements where the length of the array is not a multiple of the length of the element would cause an assertion failure in debug builds or an out-of-bounds read in production builds. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (Medium), with attack vector being Network, attack complexity Low, and privileges required Low (Ubuntu).

When successfully exploited, this vulnerability can cause dbus-daemon and other programs that use libdbus to crash, resulting in a denial of service condition. The impact is primarily focused on availability, with no direct impact on confidentiality or integrity of the system (Openwall).

The vulnerability has been fixed in multiple D-Bus versions: 1.14.x >= 1.14.4 (stable branch), 1.12.x >= 1.12.24 (old stable branch), and >= 1.15.2 (development branch). Users are advised to upgrade to these or later versions. The fix was implemented through a patch that addresses the array length validation issue (Openwall).