CVE-2023-40890: 
NixOS vulnerability analysis and mitigation

A stack-based buffer overflow vulnerability (CVE-2023-40890) was discovered in the lookup_sequence function of ZBar version 0.23.90. ZBar is a barcode and QR code scanning software suite that supports various formats including EAN-13/UPC-A, UPC-E, EAN-8, Code 128, Code 93, Code 39, Codabar, Interleaved 2 of 5, QR Code, and SQ Code (NVD, Ubuntu Security).

The vulnerability exists in the lookup_sequence function where a stack-based buffer overflow can occur when processing specially crafted QR codes. The issue has been assigned a CVSS v3.1 Base Score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high severity across confidentiality, integrity, and availability impacts (NVD).

Successful exploitation of this vulnerability could lead to information disclosure and/or arbitrary code execution on the affected system. The vulnerability can be triggered either through digital input of a malicious QR code or by physically scanning a specially crafted malicious QR code using the vulnerable scanner (HackMD, Debian LTS).

Multiple vendors have released patches to address this vulnerability. Ubuntu has fixed the issue in versions 0.23.92-4ubuntu0.1~esm1 for 22.04 LTS and 0.23-1.3ubuntu0.1~esm1 for 20.04 LTS. Fedora has released version 0.23.93-1 to address the vulnerability. Users are advised to upgrade to the latest patched versions (Ubuntu Security, Fedora Update).