CVE-2022-43295: 
NixOS vulnerability analysis and mitigation

XPDF v4.04 was discovered to contain a stack overflow vulnerability in the FileStream::copy() function located at xpdf/Stream.cc:795. The vulnerability was disclosed on November 14, 2022, and affects the XPDF PDF reader software version 4.04 (NVD, CVE Mitre).

The vulnerability is classified as a stack overflow vulnerability, which is a type of buffer overflow that occurs in the stack memory region. It has been assigned a CVSS v3.1 Base Score of 5.5 (Medium severity) with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The attack vector is Local, requiring low attack complexity and user interaction, but no privileges. The impact primarily affects system availability, with no direct impact on confidentiality or integrity (NVD).

The vulnerability primarily affects system availability, potentially leading to application crashes or denial of service conditions. According to the CVSS metrics, while the vulnerability has high impact on availability, it does not directly compromise system confidentiality or integrity (NVD).

The vulnerability has been fixed in subsequent releases of XPDF. Users are advised to upgrade to the latest version of the software. Debian has addressed this vulnerability in their distributions, with fixed versions available in bullseye, bookworm, sid, and trixie releases (Debian Tracker).