CVE-2023-4504: 
NixOS vulnerability analysis and mitigation

CVE-2023-4504 affects CUPS (Common UNIX Printing System) and libppd, discovered in September 2023. The vulnerability stems from a failure in validating the length provided by an attacker-crafted PPD PostScript document, making these systems susceptible to a heap-based buffer overflow. The issue affects CUPS versions prior to 2.4.7 and libppd version 2.0rc2 (CUPS Advisory, LibPPD Advisory).

The vulnerability exists in the scan_ps function, which scans through a string looking for the next PostScript object. When processing a string containing an open parenthesis and ending with a single backslash character, the code incorrectly iterates forward without proper bounds checking, resulting in a 1-byte read beyond the allocated heap buffer. The vulnerability has been assigned a CVSS v3.1 base score of 7.0 HIGH with vector CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability could potentially lead to code execution on affected systems. When exploited, an attacker could compromise the machine running the affected software, either CUPS or another application using the libppd library, potentially gaining a privileged position in the targeted network (CUPS Advisory).

The vulnerability has been fixed in CUPS version 2.4.7, released in September 2023. Users are advised to upgrade to this version or later. Various Linux distributions have also released security updates, including Fedora 37, 38, and 39, and Debian (Debian Advisory, Fedora Advisory).