CVE-2023-4256: 
NixOS vulnerability analysis and mitigation

A double free vulnerability (CVE-2023-4256) was identified in tcpreplay's tcprewrite utility, specifically in the tcpedit_dlt_cleanup() function within plugins/dlt_plugins.c. The vulnerability affects tcpreplay versions 4.4.3 and 4.4.4. This security issue was disclosed on December 21, 2023 (NVD).

The vulnerability occurs in the tcpedit_dlt_cleanup() function where a double free condition exists. The issue can be triggered by supplying a specifically crafted file to the tcprewrite binary. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating local access is required and user interaction is needed (Ubuntu).

When successfully exploited, this vulnerability allows a local attacker to initiate a Denial of Service (DoS) attack by causing the application to crash. The impact is primarily focused on availability, with no direct impact on confidentiality or integrity (NVD, Red Hat Bugzilla).

Fixed versions have been released for various distributions. Ubuntu has released fixes in versions 4.4.4-1ubuntu0.1~esm1 for 24.04, 4.3.4-1ubuntu0.1~esm2 for 22.04 LTS, 4.3.2-1ubuntu0.1~esm3 for 20.04 LTS, and 4.2.6-1ubuntu0.1~esm5 for 18.04 LTS. Fedora has released version 4.4.4-5 for Fedora 38, 39, and 40 (Ubuntu Security Notice, Fedora Update).