CVE-2023-0950: 
NixOS vulnerability analysis and mitigation

Improper Validation of Array Index vulnerability (CVE-2023-0950) was discovered in the spreadsheet component of The Document Foundation LibreOffice. The vulnerability was disclosed on May 24, 2023, affecting the Calc formula parsing functionality. The issue was fixed in LibreOffice versions 7.4.6 and 7.5.2 and later releases (LibreOffice Advisory).

The vulnerability exists in LibreOffice's spreadsheet module where the 'ScInterpreter' component processes formulas with multiple parameters. Certain malformed spreadsheet formulas, such as AGGREGATE, could be created with fewer parameters passed to the formula interpreter than expected, leading to an array index underflow. The issue was discovered by security professionals from Secusmart GmbH and fixed by implementing parameter count validation in the affected versions (Security Online).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on the target system when a user opens a specially crafted spreadsheet document (Ubuntu Notice).

Users are advised to upgrade to LibreOffice versions 7.4.6 or later (or >= 7.5.2) where the count of parameters is properly validated. The fix has been backported to various Linux distributions including Ubuntu, Debian, and Red Hat (Gentoo Security).