CVE-2022-1354 — Out-of-bounds Read in Libtiff

CWE-125 — Out-of-bounds Read CWE-787 — Out-of-bounds Write8 documents7 sources

Severity

5.5MEDIUMNVD

OSV7.5

EPSS

0.0%

top 88.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libtiff Debian Linux Fedoraproject Fedora +1 more

Timeline

PublishedAug 31

Latest updateSep 20

Description

A heap buffer overflow flaw was found in Libtiffs' tiffinfo.c in TIFFReadRawDataStriped() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffinfo tool, triggering a heap buffer overflow issue and causing a crash that leads to a denial of service.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶NVDlibtiff/libtiff< 4.4.0

▶CVEListV5libtiff/libtiffNot-Known

Also affects: Debian Linux 10.0, 11.0, Fedora 34, 35, 36, Enterprise Linux 9.0

Patches

Patch: bugzilla.redhat.com ↗Patch: gitlab.com ↗Patch: gitlab.com ↗

🔴Vulnerability Details

OSV

tiff vulnerabilities↗2022-09-20

▶

GHSA

GHSA-8g2j-v7wm-mhv5: A heap buffer overflow flaw was found in Libtiffs' tiffinfo↗2022-09-01

▶

OSV

CVE-2022-1354: A heap buffer overflow flaw was found in Libtiffs' tiffinfo↗2022-08-31

▶

CVEList

CVE-2022-1354: A heap buffer overflow flaw was found in Libtiffs' tiffinfo↗2022-08-31

▶

📋Vendor Advisories

Ubuntu

LibTIFF vulnerabilities↗2022-09-20

▶

Red Hat

libtiff: heap-buffer-overflow in TIFFReadRawDataStriped() in tiffinfo.c↗2022-04-12

▶

Debian

CVE-2022-1354: tiff - A heap buffer overflow flaw was found in Libtiffs' tiffinfo.c in TIFFReadRawData...↗2022

▶