CVE-2022-1056: 
NixOS vulnerability analysis and mitigation

Out-of-bounds Read error in tiffcrop in libtiff 4.3.0 was discovered on March 23, 2022. The vulnerability affects the tiffcrop utility in LibTIFF software version 4.3.0, which allows attackers to cause a denial-of-service condition through a specially crafted TIFF file (NVD, CVE).

The vulnerability is classified as an Out-of-bounds Read (CWE-125) with a CVSS v3.1 Base Score of 5.5 (MEDIUM). The attack vector requires local access (AV:L) with low attack complexity (AC:L), no privileges required (PR:N), and user interaction (UI:R). The scope is unchanged (S:U) with no impact on confidentiality (C:N) or integrity (I:N), but high impact on availability (A:H) (NVD).

When successfully exploited, this vulnerability can lead to a denial-of-service condition. The issue specifically affects the tiffcrop utility's ability to process TIFF files, where a maliciously crafted file can trigger a heap buffer overflow in the _TIFFmemcpy function (GitLab Issue).

For users that compile libtiff from sources, the fix is available with commit 46dc8fcd. The vulnerability has been fixed in libtiff version 4.4.0. Users are advised to upgrade to this version or later to mitigate the vulnerability (Gentoo Security, NetApp Security).