CVE-2023-36377: 
NixOS vulnerability analysis and mitigation

A Buffer Overflow vulnerability was discovered in mtrojnar osslsigncode version 2.3 and earlier versions. The vulnerability allows a local attacker to execute arbitrary code through specially crafted .exe, .sys, and .dll files (NVD, CVE).

The vulnerability is classified as a classic buffer overflow (CWE-120) that occurs during the processing of specific file types. The severity is rated as HIGH with a CVSS v3.1 base score of 7.8, with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates local access is required, low attack complexity, low privileges required, no user interaction needed, and high impact on confidentiality, integrity, and availability (NVD).

The vulnerability can lead to arbitrary code execution when processing untrusted files. This poses a critical security risk as it could allow attackers to execute malicious code with the privileges of the osslsigncode process (GitHub Release).

The vulnerability has been fixed in version 2.3 of osslsigncode. Users are strongly advised to immediately upgrade any previous versions of the tool, especially if it is used for processing untrusted files. Debian has also released security updates, with version 2.0+really2.5-4+deb10u1 addressing this vulnerability for Debian 10 buster (Debian Advisory).