CVE-2023-26768: 
NixOS vulnerability analysis and mitigation

Buffer Overflow vulnerability found in Liblouis v.3.24.0 allows a remote attacker to cause a denial of service via the compileTranslationTable.c and lou_setDataPath functions. The vulnerability was discovered in February 2023 and assigned CVE-2023-26768 (NVD).

The vulnerability is classified as a global buffer overflow issue that occurs when a long filename (larger than 256 characters) is given to the API lou_logFile(). The issue is present in the logging.c file where the initialLogFileName buffer has a fixed size of 256 bytes. The vulnerability has a CVSS v3.1 Base Score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD, Ubuntu).

When exploited, this vulnerability can lead to a denial of service condition. The buffer overflow occurs in the global memory space, which could potentially crash the application when a filename longer than the buffer size is provided (Github Issue).

The vulnerability has been fixed in subsequent releases of Liblouis. The fix involves checking the filename length before copying it to initialLogFileName buffer. The patch was implemented through a pull request that replaced the magic number with a defined constant FILENAMESIZE (Github PR).