First published: Thu Dec 22 2022(Updated: )
Multiple memory corruption vulnerabilities exist in the IFFOutput alignment padding functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to arbitrary code execution. An attacker can provide malicious input to trigger these vulnerabilities.This vulnerability arises when the `m_spec.format` is `TypeDesc::UINT16`.
Credit: talos-cna@cisco.com talos-cna@cisco.com
Affected Software | Affected Version | How to fix |
---|---|---|
Openimageio Openimageio | =2.4.4.2 | |
Debian Debian Linux | =11.0 | |
debian/openimageio | <=2.0.5~dfsg0-1 | 2.0.5~dfsg0-1+deb10u2 2.2.10.1+dfsg-1+deb11u1 2.4.7.1+dfsg-2 2.4.14.0+dfsg-1 |
=2.4.4.2 | ||
=11.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-43598 is a memory corruption vulnerability in the IFFOutput alignment padding functionality of OpenImageIO Project OpenImageIO v2.4.4.2.
CVE-2022-43598 can lead to arbitrary code execution if a specially crafted ImageOutput Object is provided as input.
Versions 2.0.5~dfsg0-1+deb10u2, 2.2.10.1+dfsg-1+deb11u1, 2.4.7.1+dfsg-2, and 2.4.13.0+dfsg-1 of the OpenImageIO package from Debian are affected by CVE-2022-43598.
To mitigate CVE-2022-43598, update the OpenImageIO package to version 2.0.5~dfsg0-1 or apply the recommended fixes mentioned in the Debian security tracker.
More information about CVE-2022-43598 can be found at Talos Intelligence vulnerability report, OpenImageIO GitHub pull request, and the Debian security tracker.