CVE-2022-1623
Publication date 11 May 2022
Last updated 24 July 2024
Ubuntu priority
LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:624, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| tiff | 22.04 LTS jammy |
Not affected
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
Notes
ccdm94
This CVE has the same fix as the one for CVE-2022-1622. according to the issue in the libtiff git (410), this only affects version 4.3.0 onwards, more specifically, versions that include commit 3079627e. Further investigation has confirmed that versions below 4.3.0 seem to be not affected, as the reproducer does not work, and there are no SEGV errors. Impish and jammy, which include version 4.3.0, also do not seem to be affected, as results from running the POCs with their versions are different than the ones obtained when the specific commit mentioned in the 410 issue by the issue reporter is used with the same POC files (commit b51bb157). For this reason, and because jammy and earlier do not include code from commit 3079627e, these releases will be marked as not vulnerable.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.5 · Medium
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |