CVE-2023-22845: 
NixOS vulnerability analysis and mitigation

CVE-2023-22845 is an out-of-bounds read vulnerability discovered in OpenImageIO v2.4.7.1, specifically affecting the TGAInput::decodepixel() functionality. The vulnerability was discovered by Lilith of Cisco Talos and was publicly disclosed on March 30, 2023. This security flaw affects the OpenImageIO image processing library, which is utilized by various 3D-processing software including AliceVision (Meshroom) and Blender ([Talos Report](https://talosintelligence.com/vulnerabilityreports/TALOS-2023-1708)).

The vulnerability exists in the TGAInput::decodepixel() function when processing Targa (.tga) files. The issue stems from insufficient validation of the cmapfirst variable from the initial targa headers. When processing palette data, the code uses this unchecked value to calculate memory offsets, which can lead to out-of-bounds heap data access. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating high impact on confidentiality (Talos Report).

The vulnerability allows an attacker to potentially access sensitive information through information disclosure. When exploited, the vulnerability can lead to the exposure of heap memory contents, which could contain sensitive data from the application's memory space (Talos Report).

The vulnerability was patched by the vendor on February 13, 2023. Users are strongly encouraged to update to a version newer than OpenImageIO v2.4.7.1 to mitigate this vulnerability (Talos Report).