CVE-2023-42363: 
NixOS vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in the xasprintf function located in xfuncs_printf.c:344 in BusyBox version 1.36.1. The vulnerability was reported on November 23, 2023, and was assigned CVE-2023-42363 (MITRE, NVD).

The vulnerability is classified as a use-after-free (CWE-416) issue. It received a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The vulnerability can be triggered through the awk applet when processing specific input patterns, particularly involving comma usage in certain syntax contexts (Busybox Bug).

The vulnerability affects the availability of the system, with no direct impact on confidentiality or integrity. According to the CVSS scoring, while the vulnerability requires user interaction and local access, it can result in high availability impact to the affected system (NVD).

The vulnerability has been fixed in BusyBox version 1.37.0-4. Several major distributions have released patches for their affected versions. Ubuntu has fixed the issue in versions 24.10 (oracular) and 24.04 LTS (noble), while versions 22.04 LTS and earlier are not affected. Debian has fixed the issue in sid and trixie versions (Ubuntu Security, Debian Security).