CVE-2023-33658: 
NixOS vulnerability analysis and mitigation

A heap buffer overflow vulnerability was discovered in NanoMQ version 0.17.2. The vulnerability (CVE-2023-33658) affects the function nni_msg_get_pub_pid() in the message.c file. This vulnerability was identified and reported by researchers from the School of Cyber Science and Technology, Shandong University (NVD, GitHub Issue).

The vulnerability occurs when NanoMQ processes malformed PUBLISH messages, leading to a heap buffer overflow condition. The issue specifically involves the nni_msg_get_pub_pid() function in message.c. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it can be exploited remotely without requiring privileges or user interaction (NVD).

If successfully exploited, this vulnerability could lead to a denial of service attack against the NanoMQ broker. When Address Sanitizer (ASAN) is enabled during compilation, the vulnerability causes NanoMQ to crash and display ASAN information (GitHub Issue).

The vulnerability has been patched in a subsequent release. A fix was implemented and committed to the NanoNNG repository, addressing the buffer overflow issue in the transport layer (NanoNNG Patch).