CVE-2022-47659: 
NixOS vulnerability analysis and mitigation

GPAC MP4box version 2.1-DEV-rev644-g5c4df2a67 was discovered to contain a buffer overflow vulnerability in the gf_bs_read_data function. The vulnerability was identified in December 2022 and assigned the identifier CVE-2022-47659. This security flaw affects the GPAC multimedia framework, specifically impacting systems running versions prior to 2.2.0 (GitHub Issue, NVD).

The vulnerability is classified as a stack-buffer-overflow occurring in utils/bitstream.c at line 732 within the gf_bs_read_data function. The issue has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is tracked as CWE-787 (Out-of-bounds Write) (NVD).

The buffer overflow vulnerability could potentially lead to denial of service (DoS) conditions or remote code execution (RCE) when processing specially crafted input files. The high CVSS score indicates significant potential impact on the confidentiality, integrity, and availability of affected systems (GitHub Issue, Debian Security).

The vulnerability has been fixed in GPAC version 2.2.0 and later releases. For Debian systems, the fix has been backported to version 1.0.1+dfsg1-4+deb11u2 in the stable distribution (bullseye). Users are strongly recommended to upgrade their GPAC installations to the patched versions (Debian Security).