CVE-2022-3598 Script in LibTIFF 4.4.0 has an out-of-bounds write, allowing attackers to cause a denial-of-service.

libtiff is an open source library that supports many different formats including TIFF, XVID, GIF, PNG, and many others. It has been in use since the early days of digital photography, and can still be found in many applications. libtiff version 4.4.0 has a critical denial-of-service vulnerability. An attacker could exploit this vulnerability by sending a malicious TIFF file to an unsuspecting user. When this user opens the TIFF file, the vulnerable code executes, causing the application to crash. This crash could potentially be used to steal sensitive information from the application.
AFFECTED VERSIONS libtiff can be compiled on many different systems, and these systems will have different library versions. The following table shows the most common libtiff versions and the vulnerable versions. If you are running a vulnerable version, you should upgrade as soon as possible. Table 1. Most common libtiff versions and vulnerable versions. Most Common Versions Vulnerable Versions 4.4.0 4.4.0 4.4.0 4.4.0 4.4.0 4.4.0 4.4.0 4.4.0

Mitigation Strategies

If you are running an affected version of libtiff, you should upgrade to the latest version as soon as possible. If you cannot upgrade your software, contact the vendor who provided the software for an updated version. The vendor can be found online at:
libtiff.org

What is libtiff? libtiff is a library for manipulating and displaying many different image formats. It was originally created by Michael D. Smith in 1987, and has been in use since the early days of digital photography.

With libtiff, it’s possible to manipulate images in many ways, such as convert them to black and white or change their color gamut. It also supports many common image file formats, including TIFF, XVID, GIF, PNG, JPEG-LS and others.
One example of using libtiff is displaying an image as a preview when saving it as a JPEG file. Another common task that can be accomplished with libtiff is display a 100% transparent background over an image when saving it as a PNG file.
Additionally, there are other features that make libtiff useful for photographers. For instance, it has features that allow you to perform photo editing on your images without having to download additional software like Adobe Photoshop.

Timeline

Published on: 10/21/2022 16:15:00 UTC
Last modified on: 10/21/2022 20:58:00 UTC

References

• https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3598.json
• https://gitlab.com/libtiff/libtiff/-/issues/435
• https://gitlab.com/libtiff/libtiff/-/commit/cfbb883bf6ea7bedcb04177cc4e52d304522fdff
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3598