CVE-2024-13050: 
NixOS vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability has been identified in Ashlar-Vellum Graphite's VC6 file parsing functionality. The vulnerability, tracked as CVE-2024-13050, was discovered and reported through the Zero Day Initiative (ZDI-CAN-24976). This security flaw affects Ashlar-Vellum Graphite version 13.0.48 and was disclosed on December 30, 2024 (ZDI Advisory, NVD).

The vulnerability stems from improper validation of user-supplied data length during the parsing of VC6 files, which can lead to a heap-based buffer overflow condition. The issue has been assigned a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-787 (Out-of-bounds Write) and CWE-122 (Heap-based Buffer Overflow) (NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process on affected installations of Ashlar-Vellum Graphite. The high severity rating indicates potential comprehensive impacts on system confidentiality, integrity, and availability (ZDI Advisory).

As of the disclosure date, no official patch has been released. The Zero Day Initiative reported the vulnerability to the vendor on August 16, 2024, with the vendor acknowledging receipt. After multiple follow-ups and no patch being issued, ZDI proceeded with a zero-day advisory publication. The primary mitigation strategy is to restrict interaction with the application (ZDI Advisory).