CVE-2023-39947: 
Linux Debian vulnerability analysis and mitigation

CVE-2023-39947 affects eprosima Fast DDS, a C++ implementation of the Data Distribution Service standard. The vulnerability was discovered in versions prior to 2.11.1, 2.10.2, 2.9.2, and 2.6.6, where malformed PID_PROPERTY_LIST parameters cause heap overflow at a different program counter. The issue was disclosed on August 11, 2023, and has been assigned a CVSS v3.1 base score of 7.5 (High) (NVD, Ubuntu).

The vulnerability is a heap-based buffer overflow that occurs during the processing of malformed RTPS packets containing specially crafted PID_PROPERTY_LIST parameters. The issue manifests in the push_back_helper function where insufficient buffer size validation leads to a heap overflow condition. The vulnerability has been assigned a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it can be exploited remotely with low attack complexity and requires no privileges or user interaction (GitHub Advisory).

The primary impact of this vulnerability is the potential for remote attackers to cause a denial of service by crashing any Fast-DDS process. The vulnerability affects the availability of the system while having no direct impact on confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6. Users are advised to upgrade to these or later versions. For Ubuntu users, fixes have been released for various distributions including version 2.9.1+ds-1ubuntu0.1 for Ubuntu 23.04 and version 2.5.0+ds-3ubuntu0.1~esm1 for Ubuntu 22.04 LTS (Ubuntu Security Notice, Debian Security Advisory).