CVE-2022-2868Improper Input Validation in Libtiff

CWE-20Improper Input ValidationCWE-1284Improper Validation of Specified Quantity in InputCWE-125Out-of-bounds Read11 documents8 sources
Severity
5.5MEDIUMNVD
OSV6.5
EPSS
0.0%
top 96.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
13
LibtiffDebian TiffDebian Linux+10 more
Timeline
PublishedAug 17
Latest updateNov 8

Description

libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages12 packages

NVDlibtiff/libtiff< 4.4.0
CVEListV5libtiff/libtifflibtiff 4.4.0rc1
debiandebian/tiff< tiff 4.4.0~rc1-1 (bookworm)

Also affects: Debian Linux 10.0, 11.0, Fedora 35, 36

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

4
OSV
tiff vulnerabilities2022-11-08
OSV
tiff vulnerabilities2022-09-08
GHSA
GHSA-8rfm-2x4g-8xh5: libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is abl2022-08-18
OSV
CVE-2022-2868: libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is abl2022-08-17

📋Vendor Advisories

5
Ubuntu
LibTIFF vulnerabilities2022-11-08
Ubuntu
LibTIFF vulnerabilities2022-09-08
Microsoft
libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop.2022-08-09
Debian
CVE-2022-2868: tiff - libtiff's tiffcrop utility has a improper input validation flaw that can lead to...2022
Red Hat
libtiff: Invalid crop_width and/or crop_length could cause an out-of-bounds read in reverseSamples16bits()2021-12-08