What is CVE-2022-2869?

CVE-2022-2869 is a vulnerability in libtiff's tiffcrop tool that allows an attacker to trigger out-of-bounds read and write by supplying a crafted file to tiffcrop.

How does CVE-2022-2869 affect libtiff?

CVE-2022-2869 affects libtiff's tiffcrop tool, specifically in the extractContigSamples8bits routine.

What is the severity of CVE-2022-2869?

The severity of CVE-2022-2869 is medium.

How can an attacker exploit CVE-2022-2869?

An attacker can exploit CVE-2022-2869 by tricking a user into opening a crafted file with tiffcrop.

Is there a fix for CVE-2022-2869?

Yes, there are fixes available for CVE-2022-2869. Please refer to the official references for the specific fixes.

Vulnerability/
CVE-2022-2869

medium

5.5

CWE

125 191 787

16/8/2022

17/8/2022

17/12/2024

CVE-2022-2869: Integer Underflow

First published: Tue Aug 16 2022(Updated: )

In libtiff's tiffcrop (tools/tiffcrop.c) utility, there is a uint32_t underflow that leads to an out-of-bounds read and write. A crafted file could trigger this flaw when certain command line arguments are also supplied. References: 1. <a href="https://gitlab.com/libtiff/libtiff/-/issues/352">https://gitlab.com/libtiff/libtiff/-/issues/352</a> 2. <a href="https://gitlab.com/libtiff/libtiff/-/merge_requests/294/diffs?commit_id=bcf28bb7f630f24fa47701a9907013f3548092cd">https://gitlab.com/libtiff/libtiff/-/merge_requests/294/diffs?commit_id=bcf28bb7f630f24fa47701a9907013f3548092cd</a>

Credit: secalert@redhat.com

Affected Software	Affected Version	How to fix
debian/tiff	<=4.1.0+git191117-2~deb10u4	4.1.0+git191117-2~deb10u8 4.2.0-1+deb11u4 4.2.0-1+deb11u5 4.5.0-6+deb12u1 4.5.1+git230720-3
redhat/libtiff	<4.4.0	4.4.0
IBM Cognos Analytics	<=12.0.0-12.0.3
IBM Cognos Analytics	<=11.2.0-11.2.4 FP4
Libtiff	<4.4.0
Fedoraproject Fedora	=35
Fedoraproject Fedora	=36
Debian Debian Linux	=10.0
Debian Debian Linux	=11.0

Remedy

https://bugzilla.redhat.com/show_bug.cgi?id=2118869

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

IBM-7177223

Frequently Asked Questions

What is CVE-2022-2869?
CVE-2022-2869 is a vulnerability in libtiff's tiffcrop tool that allows an attacker to trigger out-of-bounds read and write by supplying a crafted file to tiffcrop.
How does CVE-2022-2869 affect libtiff?
CVE-2022-2869 affects libtiff's tiffcrop tool, specifically in the extractContigSamples8bits routine.
What is the severity of CVE-2022-2869?
The severity of CVE-2022-2869 is medium.
How can an attacker exploit CVE-2022-2869?
An attacker can exploit CVE-2022-2869 by tricking a user into opening a crafted file with tiffcrop.
Is there a fix for CVE-2022-2869?
Yes, there are fixes available for CVE-2022-2869. Please refer to the official references for the specific fixes.

collector/security-tracker-debian
agent/type
agent/first-publish-date
agent/weakness
agent/author
agent/severity
agent/remedy
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2022-2869
agent/software-canonical-lookup
collector/mitre-cve
source/MITRE
agent/event
collector/ibm-support
source/IBM
agent/last-modified-date
agent/references
agent/softwarecombine
agent/description
agent/trending
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
package-manager/debian
package-manager/redhat
vendor/ibm
canonical/ibm cognos analytics
version/ibm cognos analytics/12.0.0-12.0.3
version/ibm cognos analytics/11.2.0-11.2.4 fp4
vendor/libtiff
canonical/libtiff
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/35
version/fedoraproject fedora/36
vendor/debian
canonical/debian debian linux
version/debian debian linux/10.0
version/debian debian linux/11.0