CVE-2023-4508: 
NixOS vulnerability analysis and mitigation

CVE-2023-4508 is a vulnerability discovered in Gerbv, a Gerber file viewer for PCB design, affecting versions between 2.4.0 and 2.10.0. The vulnerability was disclosed on August 24, 2023. The issue allows a user with control over file input to cause a denial-of-service condition through a specially crafted Gerber RS-274X file (NVD, Ubuntu Security).

The vulnerability is classified as CWE-824 (Access of Uninitialized Pointer). The issue occurs when processing included files containing invalid M-code, where the filename member of the gerbfilet structure is not properly initialized. This leads to an invalid address dereference during error logging. The vulnerability has a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD, GitHub Issue).

When exploited, the vulnerability results in a denial-of-service condition through application crash. The impact is limited to availability, with no effects on confidentiality or integrity of the system. The vulnerability requires user interaction to open a specially crafted file (NVD, Ubuntu Security).

A fix has been implemented in version 2.10.0 through commit 5517e22, which addresses the proper allocation and deallocation of filenames in the gerbfopen and gerbfclose functions. Various Linux distributions have also released patched versions, including Ubuntu 23.10 (2.9.8-1ubuntu0.1), Ubuntu 22.04 (2.8.2-1ubuntu0.1~esm2), and Ubuntu 20.04 (2.7.0-1ubuntu0.2) (GitHub Commit, Ubuntu Security Notice).