CVE-2023-30774: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in the libtiff library (CVE-2023-30774) that causes a heap buffer overflow issue via the TIFFTAG_INKNAMES and TIFFTAG_NUMBEROFINKS values. The vulnerability was reported in April 2023 and affects various versions of the libtiff library. The issue received a CVSS v3.1 base score of 5.5 (Medium) (NVD).

The vulnerability is classified as an Out-of-bounds Write (CWE-787) and Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119). The heap buffer overflow occurs during the processing of TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS values. The vulnerability requires local access and user interaction to be exploited, with a CVSS vector string of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD).

When successfully exploited, this vulnerability can lead to heap buffer overflow, potentially resulting in application termination or arbitrary code execution. The vulnerability primarily affects the availability of the system, with no direct impact on confidentiality or integrity (NetApp Advisory).

The issue has been addressed in various software releases. Apple has included fixes in macOS Sonoma 14.1 by removing the vulnerable code (Apple Support). Other vendors have also released patches for their affected products. Users are advised to update to the latest version of their software that includes the fix.