CVE-2022-45202: 
NixOS vulnerability analysis and mitigation

GPAC v2.1-DEV-rev428-gcb8ae46c8-master was discovered to contain a stack overflow vulnerability in the function dimC_box_read located in isomedia/box_code_3gpp.c. The vulnerability was disclosed on November 28, 2022, and affects GPAC versions up to (excluding) 2.2.0. The issue has been assigned a CVSS v3.1 base score of 7.8 (HIGH) (NVD).

The vulnerability is caused by a stack buffer overflow in the dimC_box_read function at line 1070 of isomedia/box_code_3gpp.c. The issue occurs when processing certain media files, where a buffer overflow can be triggered during the reading of text encoding information. The vulnerability has been assigned a CVSS v3.1 vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access, low attack complexity, no privileges required, and user interaction required (NVD, GitHub Issue).

The vulnerability can cause application crashes and potentially allow modification of stack memory, which could lead to remote code execution. When exploited, the vulnerability affects the confidentiality, integrity, and availability of the system with high severity (GitHub Issue).

The vulnerability has been addressed in subsequent releases. Debian has released security updates to fix this issue in version 1.0.1+dfsg1-4+deb11u2 for the stable distribution (bullseye). Users are recommended to upgrade their GPAC packages to the fixed versions (Debian Advisory).