CVE-2022-34266: The libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF on Amazon Linux 2 allows attackers to cause a denial of service (application crash), a different vulnerability than CVE-2022-0562. When processing a malicious TIFF file, an invalid range may be passed as an argument to the memset() function within TIFFFetchStripThing() in tif_dirread.c. This will cause TIFFFetchStripThing() to segfault after use of an uninitialized resource. Unsure if this only applies to Amazon Linux or not.
Asked MITRE for more information. The Amazon page for the CVE (https://alas.aws.amazon.com/cve/html/CVE-2022-34266.html) has a link to this dead RedHat URL: https://access.redhat.com/security/cve/CVE-2022-34266
Asked upstream: https://gitlab.com/libtiff/libtiff/-/issues/516
(In reply to John Helmert III from comment #2) > Asked upstream: https://gitlab.com/libtiff/libtiff/-/issues/516 "Who knows ? This is totally unactionable by us without a pointer to a patch. This CVE also refers to a super old libtiff version. Presumably something that has been fixed in later upstream releases and Amazon forgot to backport. Closing."
Andrew Lau reports at the upstream issue that this vulnerability is only accessible by Amazon Linux customers thanks to a bugged backport for another vulnerability.
