CVE-2023-50268: 
NixOS vulnerability analysis and mitigation

CVE-2023-50268 affects jq, a command-line JSON processor. The vulnerability was discovered in version 1.7 and involves a stack-based buffer overflow in builds using decNumber. The issue was patched in version 1.7.1, which was released in December 2023 (GitHub Advisory, NVD).

The vulnerability is a stack-based buffer overflow that occurs when comparing NaN (Not a Number) values with large payloads. The issue was introduced when a unit allocated for decNumberCompare was accidentally removed. The vulnerability was discovered through OSS-fuzz testing and can be triggered when comparing NaN values with payloads of 1000 or more (OSS Security, GitHub Commit). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) by NVD and 6.2 (Medium) by GitHub (NVD).

When exploited, this vulnerability could lead to a stack buffer overflow condition, potentially causing program crashes or enabling arbitrary code execution. The vulnerability specifically affects builds using decNumber and could be triggered through malicious input processing (GitHub Advisory).

The vulnerability has been fixed in jq version 1.7.1. Users are advised to upgrade to this version or later. The fix involves properly allocating memory for decNumberCompare operations (GitHub Commit, OSS Security).