CVE-2022-3570: Buffer Overflow
First published: Fri Oct 21 2022(Updated: )
Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version 4.4.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact
Credit: cve@gitlab.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Libtiff Libtiff | >=3.9.0<=4.4.0 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| debian/tiff | <=4.1.0+git191117-2~deb10u4 | 4.1.0+git191117-2~deb10u8 4.2.0-1+deb11u4 4.2.0-1+deb11u5 4.5.0-6+deb12u1 4.5.1+git230720-3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3570.json
- https://gitlab.com/libtiff/libtiff/-/commit/bd94a9b383d8755a27b5a1bc27660b8ad10b094c
- https://gitlab.com/libtiff/libtiff/-/issues/381
- https://gitlab.com/libtiff/libtiff/-/issues/386
- https://lists.debian.org/debian-lts-announce/2023/01/msg00018.html
- https://security.netapp.com/advisory/ntap-20230203-0002/
- https://www.debian.org/security/2023/dsa-5333
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2142735
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2143155
- https://access.redhat.com/errata/RHSA-2023:2340
- https://access.redhat.com/security/cve/cve-2022-3570
- https://bugzilla.redhat.com/show_bug.cgi?id=2142734
- https://gitlab.com/libtiff/libtiff/-/commit/cfbb883bf6ea7bedcb04177cc4e52d304522fdff
- https://security-tracker.debian.org/tracker/CVE-2022-3570
Frequently Asked Questions
What is CVE-2022-3570?
CVE-2022-3570 is a vulnerability in the libtiff library that allows an attacker to trigger heap buffer overflows via a crafted TIFF image file, potentially leading to application crashes or other impacts.
How severe is CVE-2022-3570?
CVE-2022-3570 has a severity rating of 5.5, which is considered high.
Which versions of the libtiff library are affected?
Versions 4.1.0+git191117-2~deb10u8, 4.2.0-1+deb11u4, 4.5.0-6, and 4.5.1+git230720-1 of the libtiff library are affected.
How can I fix CVE-2022-3570?
To fix CVE-2022-3570, update the libtiff library to a version that is not affected, such as 4.1.0+git191117-2~deb10u8, 4.2.0-1+deb11u4, 4.5.0-6, or 4.5.1+git230720-1.
Are there any references for CVE-2022-3570?
Yes, you can find references for CVE-2022-3570 at the following URLs: [Reference 1](https://gitlab.com/libtiff/libtiff/-/commit/cfbb883bf6ea7bedcb04177cc4e52d304522fdff), [Reference 2](https://gitlab.com/libtiff/libtiff/-/issues/381), [Reference 3](https://gitlab.com/libtiff/libtiff/-/issues/386).
- collector/nvd-index
- collector/security-tracker-debian
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-3570
- agent/tags
- agent/references
- agent/author
- agent/severity
- agent/remedy
- agent/weakness
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/libtiff
- canonical/libtiff libtiff
- version/libtiff libtiff/3.9.0
- version/libtiff libtiff/4.4.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- package-manager/debian