CVE-2023-24472: 
NixOS vulnerability analysis and mitigation

A denial of service vulnerability (CVE-2023-24472) was discovered in OpenImageIO Project OpenImageIO v2.4.7.1, specifically in the FitsOutput::close() functionality. The vulnerability was discovered by Lilith of Cisco Talos and publicly disclosed on March 30, 2023. OpenImageIO is an image processing library with easy-to-use interfaces and supports numerous image formats, commonly used by 3D-processing software like AliceVision (including Meshroom) and Blender for reading Photoshop .psd files (Talos Report).

The vulnerability is classified as CWE-674 (Uncontrolled Recursion) and has received a CVSSv3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability can be triggered when a specially crafted ImageOutput Object is provided to the FitsOutput::close() function (Talos Report).

When successfully exploited, this vulnerability can lead to denial of service conditions in applications using the affected OpenImageIO library. The high CVSS score (7.5) indicates significant potential impact on system availability, though there are no direct impacts on confidentiality or integrity (Talos Report).

The vulnerability was disclosed to the vendor on February 7, 2023, and a patch was released on February 13, 2023. Users are advised to upgrade to versions newer than 2.4.7.1. Debian has addressed this issue in their security updates, including DLA-3518-1 for affected versions (Debian LTS).