CVE-2023-50246: 
NixOS vulnerability analysis and mitigation

jq, a command-line JSON processor, version 1.7 was found to contain a heap-based buffer overflow vulnerability. The vulnerability was discovered and disclosed in December 2023, and was assigned CVE-2023-50246. The issue was patched in version 1.7.1 (NVD, OSS-Security).

The vulnerability exists in the decToString function in decNumber.c, where the function calls for a buffer that can hold a string of digits+14 characters but fails to allocate an extra byte for the NUL byte. This leads to a heap-based buffer overflow condition. The issue was identified with a CVSS v3.1 base score of 5.5 (Medium), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

When exploited, the vulnerability could lead to a heap buffer overflow condition. For example, when processing input like '-10E-1000010001', the program would attempt to stringify it as '-1.0E-1000010000' and write an extra NUL byte after the allocated buffer in the heap, potentially causing system instability or crashes (GitHub Commit).

The vulnerability has been fixed in jq version 1.7.1. Users are advised to upgrade to this version, which includes a patch that properly allocates buffer space for the NUL byte terminator. The fix involves modifying the buffer allocation size in the jvp_literal_number_literal function (OSS-Security).