CVE-2022-0924: 
NixOS vulnerability analysis and mitigation

CVE-2022-0924 is a security vulnerability affecting libtiff version 4.3.0, specifically in the tiffcp utility. The vulnerability was discovered in March 2022 and involves an out-of-bounds read error that allows attackers to cause a denial-of-service condition via a crafted TIFF file (NVD, Red Hat).

The vulnerability is specifically located in the cpContigBufToSeparateBuf function in tiffcp.c. When processing certain malformed TIFF files, the function can trigger a heap buffer overflow at line 1373, leading to an out-of-bounds read condition (GitLab Issue). The issue was fixed in commit 408976c4 for users who compile libtiff from sources (CVE Mitre).

When successfully exploited, this vulnerability can lead to a denial-of-service condition. The CVSS score for this vulnerability is 5.5 (MEDIUM) with a vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating that it requires local access and user interaction to exploit (NetApp Security).

The vulnerability has been patched in various distributions and versions. For Debian, the fix was released in version 4.2.0-1+deb11u1 for the stable distribution (bullseye) and version 4.1.0+git191117-2~deb10u4 for the oldstable distribution (buster) (Debian Security). Red Hat has also released patches for affected versions in their enterprise Linux distributions (Red Hat Security).