First published: Fri Oct 21 2022(Updated: )
LibTIFF 4.4.0 has an out-of-bounds read in writeSingleSection in tools/tiffcrop.c:7345, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit e8131125.
Credit: cve@gitlab.com
Affected Software | Affected Version | How to fix |
---|---|---|
debian/tiff | <=4.1.0+git191117-2~deb10u4 | 4.1.0+git191117-2~deb10u8 4.2.0-1+deb11u4 4.2.0-1+deb11u5 4.5.0-6+deb12u1 4.5.1+git230720-3 |
Libtiff Libtiff | <=4.4.0 | |
Netapp Active Iq Unified Manager Vmware Vsphere | ||
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
IBM Cognos Analytics | <=12.0.0-12.0.3 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-3599 is a vulnerability in LibTIFF 4.4.0 that allows attackers to cause a denial-of-service via a crafted tiff file.
The LibTIFF vulnerability can be exploited by using a crafted tiff file to trigger an out-of-bounds read in the writeSingleSection function.
Users of LibTIFF 4.4.0 are affected by CVE-2022-3599.
For users that compile libtiff from sources, the fix is available with commit e8131125.
You can find more information about CVE-2022-3599 in the references provided: [reference_1](https://gitlab.com/libtiff/libtiff/-/commit/e813112545942107551433d61afd16ac094ff246), [reference_2](https://gitlab.com/libtiff/libtiff/-/issues/398), [reference_3](https://security-tracker.debian.org/tracker/CVE-2022-3599).