CVE-2022-1622 The libTIFF master branch has an out-of-bounds read in LZWDecode that can cause a denial-of-service.

For users that use the Debian Jessie package, the fix is available via the libtiff-debian Jessie backport repository. This issue has been assigned the identifier CVE-2017-7796. libtiff is a widely used library for manipulating TIFF images, including reading and writing of LZW-encoded TIFF images. libtiff version 1.4.x is vulnerable to an out-of-bounds read in LZWDecode allowing an attacker to cause a denial-of-service. The specific libtiff version in Debian Jessie is 6:1.4-5. For Debian 7 users, the current libtiff version is 5:1.4-5. For Debian 8 users, the current libtiff version is 6:1.4-5. ------------------------END OF SETUP INFORMATION------------------------ A number of libtiff packages were updated in Debian Jessie on March 02, 2018 to fix this issue. For Debian 7 users, the current libtiff version is 5:1.4-5. For Debian 8 users, the current libtiff version is 6:1.4-5. ------------------------END OF SETUP INFORMATION------------------------ ------------------------END OF RESOLUTION INFORMATION------------------------ The libtiff package in Debian Jessie was updated to version 5:1.4-5 (bsc#1052685). ------------------------END

Summary

For users that use the Debian Jessie package, their fix is available via the libtiff-debian Jessie backport repository. For Debian 7 users, their current libtiff version is 5:1.4-5 (bsc#1052685). For Debian 8 users, their current libtiff version is 6:1.4-5 (bsc#1052685).

The issue has been assigned the identifier CVE-2017-7796.

References

- https://security.debian.org/CVE-2017-7796
-"Debian Jessie package libtiff-debian Jessie backport repository"
-"Libtiff version 1.4.x is vulnerable to an out-of-bounds read in LZWDecode allowing an attacker to cause a denial-of-service."
-"For Debian 7 users, the current libtiff version is 5:1.4-5."
-"For Debian 8 users, the current libtiff version is 6:1.4-5."

System requirements

Debian Jessie is a free operating system.

Debian 8.0 Jessie

Debian 8.0 Jessie was updated, on March 02, 2018, to fix this issue. For Debian 7 users, the current libtiff version is 5:1.4-5. For Debian 8 users, the current libtiff version is 6:1.4-5.

Timeline

Published on: 05/11/2022 15:15:00 UTC
Last modified on: 06/22/2022 03:15:00 UTC

References

• https://gitlab.com/libtiff/libtiff/-/commit/b4e79bfa0c7d2d08f6f1e7ec38143fc8cb11394a
• https://gitlab.com/libtiff/libtiff/-/issues/410
• https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1622.json
• https://security.netapp.com/advisory/ntap-20220616-0005/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXAFOP6QQRNZD3HPZ6BMCEZZOM4YIZMK/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C7IWZTB4J2N4F5OR5QY4VHDSKWKZSWN3/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1622