Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 859433 (CVE-2022-34266)

Summary: media-libs/tiff: null pointer dereference
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: minor CC: codec
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://alas.aws.amazon.com/AL2/ALAS-2022-1814.html
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-20 01:04:16 UTC 
CVE-2022-34266:

The libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF on Amazon Linux 2 allows attackers to cause a denial of service (application crash), a different vulnerability than CVE-2022-0562. When processing a malicious TIFF file, an invalid range may be passed as an argument to the memset() function within TIFFFetchStripThing() in tif_dirread.c. This will cause TIFFFetchStripThing() to segfault after use of an uninitialized resource.

Unsure if this only applies to Amazon Linux or not.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-29 17:31:32 UTC 
Asked MITRE for more information. The Amazon page for the CVE (https://alas.aws.amazon.com/cve/html/CVE-2022-34266.html) has a link to this dead RedHat URL:

https://access.redhat.com/security/cve/CVE-2022-34266
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-25 19:07:53 UTC 
Asked upstream: https://gitlab.com/libtiff/libtiff/-/issues/516
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-27 18:01:01 UTC 
(In reply to John Helmert III from comment #2)
> Asked upstream: https://gitlab.com/libtiff/libtiff/-/issues/516

"Who knows ? This is totally unactionable by us without a pointer to a patch. This CVE also refers to a super old libtiff version. Presumably something that has been fixed in later upstream releases and Amazon forgot to backport. Closing."
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-23 17:40:03 UTC 
Andrew Lau reports at the upstream issue that this vulnerability is only accessible by Amazon Linux customers thanks to a bugged backport for another vulnerability.