CVE-2023-24473: 
NixOS vulnerability analysis and mitigation

An information disclosure vulnerability (CVE-2023-24473) was discovered in OpenImageIO v2.4.7.1, specifically in the TGAInput::readtga2header functionality. The vulnerability was discovered by Lilith of Cisco Talos and publicly disclosed on March 30, 2023. This vulnerability affects the OpenImageIO library, which is utilized by 3D-processing software including AliceVision (Meshroom) and Blender for image processing and format conversion (Talos Report).

The vulnerability is classified as an out-of-bounds read (CWE-125) that occurs during the processing of TGA 2.0 image files. The issue stems from improper buffer handling in the readtga2header function, where the lack of null termination in the buf buffer can lead to out-of-bounds reads when generating metadata. The vulnerability has received a CVSS v3.1 base score of 5.3 (Medium) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (Talos Report).

When exploited, this vulnerability can lead to the disclosure of sensitive information from the system's memory. The impact occurs when processing specially crafted Targa (.tga) files, where the lack of proper buffer termination can expose data from adjacent memory locations (Talos Report).

The vulnerability was patched by the vendor on February 13, 2023. Users are advised to update to a version newer than OpenImageIO v2.4.7.1 to mitigate this vulnerability (Talos Report).