CVE-2022-2521: 
NixOS vulnerability analysis and mitigation

The vulnerability CVE-2022-2521 was discovered in libtiff version 4.4.0rc1, involving an invalid pointer free operation in TIFFClose() function at tif_close.c:131 called by tiffcrop.c:2522 (MITRE, NVD). The vulnerability was reported in July 2022 and affects the Tag Image File Format (TIFF) library and tools.

The vulnerability occurs due to an invalid pointer free operation in the TIFFClose() function, specifically at line 131 of tif_close.c, which is called from line 2522 of tiffcrop.c. The issue manifests when processing crafted input files using the tiffcrop utility (GitLab Issue). The vulnerability has a CVSS v3.1 base score of 6.5 (Medium), with attack vector being Network, attack complexity Low, requiring no privileges but user interaction, and affecting only availability (Oracle Linux).

When exploited, this vulnerability can cause a program crash and denial of service while processing crafted input (MITRE). The impact primarily affects the availability of the system, with no direct impact on confidentiality or integrity.

The vulnerability has been fixed in subsequent releases of libtiff. Various distributions have released patches, including Debian which addressed this issue in version 4.2.0-1+deb11u3 (Debian Security). The fix involves making the tiffcrop -S option mutually exclusive with other crop options (-X|-Y), -Z and -z, preventing the invalid pointer free condition.