CVE-2023-39534: 
Linux Debian vulnerability analysis and mitigation

eprosima Fast DDS, a C++ implementation of the Data Distribution Service standard, was found to be vulnerable to a malformed GAP submessage that could trigger an assertion failure, causing the application to crash. The vulnerability (CVE-2023-39534) was discovered and patched in versions 2.10.0, 2.9.2, and 2.6.5. This security issue affects versions prior to these releases (GitHub Advisory).

The vulnerability occurs when processing a malformed GAP submessage where the gapList.base is zero, leading to a computation of 0 - 1 that triggers an assertion failure in SequenceNumber.h:247. The issue manifests in StatefulReader.cpp:863 during the computation of finalSN = gapList.base() - 1. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it can be exploited remotely without requiring privileges or user interaction (GitHub Advisory).

When successfully exploited, this vulnerability results in a denial of service condition through application crash. The vulnerability affects the availability of the system while having no direct impact on confidentiality or integrity. The high CVSS score reflects the severity of the availability impact and the ease of exploitation (GitHub Advisory).

The vulnerability has been patched in Fast DDS versions 2.10.0, 2.9.2, and 2.6.5. Users are advised to upgrade to these or later versions. For Debian systems, fixed versions have been released: version 2.1.0+ds-9+deb11u1 for oldstable distribution (bullseye) and version 2.9.1+ds-1+deb12u1 for stable distribution (bookworm) (Debian Security).