CVE-2024-55192: 
NixOS vulnerability analysis and mitigation

OpenImageIO v3.1.0.0dev contains a heap overflow vulnerability in the component OpenImageIOv31_0::farmhash::inlined::Fetch64(char const*). The vulnerability was discovered on December 2, 2024, and affects the development version of the software (GitHub Issue). The CVSS v3.1 base score is 9.8 CRITICAL with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability is a heap-buffer-overflow that occurs in the farmhash component, specifically in the Fetch64 function located in src/include/OpenImageIO/detail/farmhash.h. The issue manifests when processing certain image files through the iconvert and oiiotool utilities. The vulnerability has been classified as CWE-787 (Out-of-bounds Write) and CWE-122 (Heap-based Buffer Overflow) (NVD).

The heap overflow vulnerability could potentially lead to arbitrary code execution, system crashes, or memory corruption. Given the CVSS score of 9.8, this vulnerability is considered critical with potential for high impact on confidentiality, integrity, and availability of the affected systems (NVD).

As of the current reporting, there is no official patch available for this vulnerability. Users are advised to monitor the OpenImageIO repository for security updates and exercise caution when processing untrusted image files (GitHub Issue).