CVE-2024-24259: 
NixOS vulnerability analysis and mitigation

A memory leak vulnerability was discovered in freeglut through version 3.4.0, identified as CVE-2024-24259. The vulnerability exists in the glutAddMenuEntry function where a local variable named 'menuEntry' is allocated memory but not properly released under certain conditions (GitHub PR, MuPDF Defects). The vulnerability was initially reported in February 2024 and affects the freeglut library, which is an open-source alternative to the OpenGL Utility Toolkit (GLUT).

The vulnerability occurs in the glutAddMenuEntry function within the fg_menu.c file. When fgStructure.CurrentMenu is empty, the function returns without releasing the allocated memory area for the menuEntry variable, resulting in a memory leak. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The memory leak can lead to gradual consumption of system memory over time, potentially affecting system availability. While the vulnerability does not directly impact confidentiality or integrity, continuous memory leaks can eventually lead to degraded system performance or denial of service conditions (Red Hat).

A fix has been implemented and merged into the freeglut repository, which postpones allocating the menuEntry variable until after the error checks. The patch is available through various distribution updates, including Fedora's security updates for versions 38 and 39 (Fedora Update).