CVE-2022-34266

Summary

CVE	CVE-2022-34266
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-07-19 20:15:00 UTC
Updated	2022-09-23 15:19:00 UTC
Description	The libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF on Amazon Linux 2 allows attackers to cause a denial of service (application crash), a different vulnerability than CVE-2022-0562. When processing a malicious TIFF file, an invalid range may be passed as an argument to the memset() function within TIFFFetchStripThing() in tif_dirread.c. This will cause TIFFFetchStripThing() to segfault after use of an uninitialized resource.

Risk And Classification

Problem Types: CWE-908

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Amazon	Linux 2	-	All	All	All
Application	Libtiff	Libtiff	4.0.3-35	All	All	All

References

Reference	Source	Link	Tags
Amazon Linux Security Advisories	MISC	alas.aws.amazon.com
ALAS2-2022-1814	MISC	alas.aws.amazon.com
859433 – (CVE-2022-34266) media-libs/tiff: null pointer dereference	MISC	bugs.gentoo.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

353984 Amazon Linux Security Advisory for libtiff : ALAS2-2022-1814
502793 Alpine Linux Security Update for tiff
752686 SUSE Enterprise Linux Security Update for tiff (SUSE-SU-2022:3679-1)
752701 SUSE Enterprise Linux Security Update for tiff (SUSE-SU-2022:3690-1)