CVE-2023-3180: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2023-3180) was discovered in the QEMU virtual crypto device affecting versions prior to 8.1.0. The flaw exists in the handling of data encryption/decryption requests in virtio_crypto_handle_sym_req function. The vulnerability was discovered in July 2023 and affects QEMU's virtual crypto device implementation (NVD, Debian Security).

The vulnerability stems from a missing validation check in the virtio_crypto_sym_op_helper function. Specifically, there is no verification of the values of 'src_len' and 'dst_len' parameters, which can lead to a heap buffer overflow when these values differ. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H (NVD, NetApp Security).

When successfully exploited, this vulnerability can lead to a heap buffer overflow, potentially resulting in denial of service (DoS) conditions. The impact is primarily focused on system availability, with no direct impact on confidentiality or integrity (NetApp Security).

The vulnerability has been fixed in QEMU version 8.1.0 and later. A patch was released through upstream commit 9d38a8434721a6479fe03fb5afb150ca793d3980. Various distributions have released security updates to address this vulnerability, including Debian with version 1:3.1+dfsg-8+deb10u11 and Fedora 38 with version 7.2.5-1.fc38 (Debian LTS, Fedora Update).