CVE-2023-47466: 
NixOS vulnerability analysis and mitigation

TagLib before version 2.0 contains a vulnerability (CVE-2023-47466) that allows a segmentation violation and application crash during tag writing via a crafted WAV file in which an id3 chunk is the only valid chunk. The vulnerability was discovered and reported on November 1, 2023, affecting the TagLib library, which is used for reading and editing metadata of several popular audio formats (MITRE, NVD).

The vulnerability is classified as a NULL Pointer Dereference (CWE-476) with a CVSS v3.1 Base Score of 2.9 (LOW) and vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L. The issue occurs when processing WAV files with specially crafted headers where the id3 chunk is the only valid chunk. When attempting to write tags, the existing id3 chunk is removed, leading to a vector::front() call on an empty chunks vector, resulting in a segmentation fault (Wiz, GitHub Issue).

The vulnerability affects the availability of software systems using the TagLib library. When exploited, it can cause application crashes during tag writing operations. VLC Media player has been confirmed to be affected by this vulnerability (GitHub Issue).

The vulnerability has been fixed in TagLib version 2.0. Users should upgrade to this version to mitigate the issue. The fix involves adding a check for empty vectors before calling vector::front() in the updateGlobalSize() function (GitHub Commit).