CVE-2023-2663: 
NixOS vulnerability analysis and mitigation

A vulnerability identified as CVE-2023-2663 was discovered in Xpdf version 4.04 and earlier versions. The vulnerability was disclosed on May 11, 2023, and affects the PDF processing functionality of the software. The issue involves a PDF object loop in the page label tree that can trigger uncontrolled recursion (NVD).

The vulnerability is classified as CWE-674 (Uncontrolled Recursion) and has received varying CVSS severity ratings. The National Institute of Standards and Technology (NIST) assigned a CVSS v3.1 base score of 5.5 (MEDIUM) with vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, while CISA-ADP rated it as CRITICAL with a score of 9.1. The original vendor, Glyph & Cog, LLC, assessed it with a LOW severity score of 2.9 (NVD).

The vulnerability can lead to a stack overflow condition when processing PDF files with specifically crafted page label trees. This can result in a Denial of Service (DoS) situation, potentially causing the application to crash or become unresponsive (NVD).

The vulnerability has been addressed in various Linux distributions. Debian has implemented fixes across multiple releases including bullseye, bookworm, sid, and trixie. It's worth noting that Debian uses poppler instead of xpdf, which is not affected by this vulnerability (Debian Tracker).