First published: Sun Nov 13 2022(Updated: )
A vulnerability was found in LibTIFF. It has been classified as critical. This affects the function TIFFReadRGBATileExt of the file libtiff/tif_getimage.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 227500897dfb07fb7d27f7aa570050e62617e3be. It is recommended to apply a patch to fix this issue. The identifier VDB-213549 was assigned to this vulnerability.
Credit: found by OSS-Fuzz found by OSS-Fuzz cna@vuldb.com cna@vuldb.com cna@vuldb.com
Affected Software | Affected Version | How to fix |
---|---|---|
debian/tiff | <=4.4.0-5<=4.2.0-1<=4.2.0-1+deb11u1 | |
Libtiff Libtiff | <4.5.0 | |
Apple iPadOS | ||
Debian Debian Linux | =10.0 | |
Apple Safari | <16.5.1 | |
Apple iPadOS | <16.6 | |
Apple iPhone OS | <16.6 | |
Apple macOS | <13.5 | |
Apple macOS Ventura | <13.5 | 13.5 |
Apple iOS | <16.6 | 16.6 |
Apple iPadOS | <16.6 | 16.6 |
ubuntu/tiff | <4.0.9-5ubuntu0.9 | 4.0.9-5ubuntu0.9 |
ubuntu/tiff | <4.1.0+ | 4.1.0+ |
ubuntu/tiff | <4.3.0-6ubuntu0.3 | 4.3.0-6ubuntu0.3 |
ubuntu/tiff | <4.4.0-4ubuntu3.2 | 4.4.0-4ubuntu3.2 |
ubuntu/tiff | <4.0.3-7ubuntu0.11+ | 4.0.3-7ubuntu0.11+ |
ubuntu/tiff | <4.5.0<4.4.0-6 | 4.5.0 4.4.0-6 |
ubuntu/tiff | <4.0.6-1ubuntu0.8+ | 4.0.6-1ubuntu0.8+ |
debian/tiff | <=4.1.0+git191117-2~deb10u4 | 4.1.0+git191117-2~deb10u8 4.2.0-1+deb11u4 4.2.0-1+deb11u5 4.5.0-6+deb12u1 4.5.1+git230720-4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
(Found alongside the following vulnerabilities)
CVE-2022-3970 is a critical vulnerability found in LibTIFF that allows for remote code execution through integer overflow.
CVE-2022-3970 has a severity rating of 8.8 (high).
Yes, CVE-2022-3970 can be exploited remotely.
The affected software versions of CVE-2022-3970 include tiff 4.0.9-5ubuntu0.9, tiff 4.1.0+, tiff 4.3.0-6ubuntu0.3, tiff 4.4.0-4ubuntu3.2, tiff 4.0.3-7ubuntu0.11+, tiff 4.5.0, tiff 4.4.0-6, tiff 4.0.6-1ubuntu0.8+, and tiff 4.4.0-5 to 4.2.0-1+deb11u1.
To fix CVE-2022-3970, upgrade to the latest version of tiff as recommended by your operating system or distribution.