CVE-2024-24258: 
NixOS vulnerability analysis and mitigation

A memory leak vulnerability was discovered in freeglut 3.4.0, specifically in the glutAddSubMenu function where the menuEntry variable is allocated memory but not properly released (GitHub PR, MuPDF Defects). The vulnerability was initially reported against MuPDF v1.23.9 but was later corrected to affect freeglut, which is an open-source alternative to the OpenGL Utility Toolkit (GLUT) library.

The vulnerability is tracked as CVE-2024-24258 with a CVSS v3.1 base score of 7.5 (High). The issue occurs in the glutAddSubMenu function where if fgStructure.CurrentMenu is set, the allocated menuEntry variable will leak memory. The vulnerability is classified as CWE-401 (Missing Release of Memory after Effective Lifetime) (NVD).

While classified with a high CVSS score, the practical impact appears to be limited to memory leaks that could potentially lead to resource exhaustion and availability issues. The vulnerability affects the availability of the system but does not impact confidentiality or integrity (NVD).

A fix has been implemented that postpones allocating the menuEntry variable until after the error checks, thereby preventing the memory leak. The fix is available in the freeglut repository through a pull request. Fedora has released security updates for affected versions (freeglut-3.4.0-7.fc38 and freeglut-3.4.0-7.fc39) to address this vulnerability (Fedora Update).

The severity classification of this vulnerability as 'High' has been questioned by the development community. The freeglut maintainer noted that it's unclear why a memory leak would be classified as a high-severity vulnerability, though they acknowledged the importance of fixing such issues (GitHub PR).