CVE-2023-0996: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2023-0996) was discovered in the strided image data parsing code within the emscripten wrapper for libheif, an ISO/IEC 23008-12:2017 HEIF and AVIF file format decoder and encoder. The vulnerability was discovered by Eugene Lim of GovTech Singapore and was initially disclosed to the vendor on October 21, 2022, with a patch being released on January 11, 2023 (GovTech Advisory).

The vulnerability exists in the strided image data parsing code of libheif's emscripten wrapper. The issue allows an attacker to trigger a buffer overflow in linear memory during a memcpy call through a specially crafted image file. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High), with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Ubuntu Security).

If successfully exploited, this vulnerability could lead to program crashes resulting in denial of service. The vulnerability affects multiple versions of Ubuntu, including Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS (Ubuntu Notice).

Fixed versions have been released for various distributions. Ubuntu has provided updates for affected versions: Ubuntu 22.04 LTS (1.12.0-2ubuntu0.1~esm1) and Ubuntu 20.04 LTS (1.6.1-1ubuntu0.1~esm1). Debian has also released fixes for affected versions in bullseye (1.11.0-1+deb11u2) and bookworm (1.15.1-1+deb12u1) (Debian Security).