CVE-2022-47673: 
NixOS vulnerability analysis and mitigation

An issue was discovered in Binutils addr2line before version 2.39.3, where the parse_module function contains multiple out-of-bounds reads. The vulnerability was assigned CVE-2022-47673 and was publicly disclosed on August 22, 2023. This security flaw affects the GNU Binutils package, specifically the addr2line component (NVD).

The vulnerability stems from insufficient bounds checking in the parsemodule function within the vms-alpha.c file. The issue occurs when ((signed char *)pclptr)[0] is accessed, which is only ensured to be smaller than ptr + reclength. However, reclength can be controlled by file content, potentially leading to buffer overflow conditions. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD, Bugzilla).

The vulnerability can cause a denial of service condition or potentially lead to other unspecified impacts when processing malformed input files. The high CVSS score indicates that successful exploitation could result in complete compromise of confidentiality, integrity, and availability of the affected system (NVD).

The vulnerability has been fixed in Binutils version 2.39.3. The patch includes improved bounds checking in the vms-alpha.c parsemodule function, with additional sanity checks for record length and various DST_K elements. Users are advised to upgrade to the patched version (Bugzilla).