CVE-2023-46045: 
NixOS vulnerability analysis and mitigation

Graphviz versions 2.36.0 through 9.x before 10.0.1 contain an out-of-bounds read vulnerability that can be triggered via a crafted config6a file. The vulnerability was discovered in late 2023 and was assigned CVE-2023-46045. While the vulnerability affects a wide range of versions, its exploitability is considered limited because the affected config6a file is typically owned by root (NVD, Full Disclosure).

The vulnerability is classified as an out-of-bounds read issue (CWE-125) with a CVSS v3.1 base score of 7.8 (High). The vulnerability vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access, low attack complexity, no privileges required, and user interaction required. The issue was introduced in version 2.36.0 through commit cf95714837f06f684929b54659523c2c9b1fc19f and was later fixed by essentially reverting this commit in version 10.0.1 (Full Disclosure, NVD).

The vulnerability could potentially lead to information disclosure, integrity compromise, and availability issues due to the out-of-bounds read condition. However, the actual impact is mitigated by the fact that the vulnerable config6a file is typically owned by root, which limits the attack surface (NVD).

The vulnerability has been fixed in Graphviz version 10.0.1. Users are advised to upgrade to this version or later to address the issue. The fix was implemented by reverting the commit that introduced the vulnerability through commit a95f977f5d809915ec4b14836d2b5b7f5e74881e (Full Disclosure).

The Graphviz maintainers, while not initially consulted about the CVE assignment, chose not to contest it despite some debate about its security impact. There was some discussion in the security community about whether this issue warranted a CVE, given that it requires root file access to exploit (OSS Security).