CVE-2022-2868: 
NixOS vulnerability analysis and mitigation

CVE-2022-2868 is a security vulnerability discovered in libtiff's tiffcrop utility. The flaw was identified as an improper input validation issue that can lead to out-of-bounds read operations. The vulnerability was reported on August 16, 2022, and affects the Tag Image File Format (TIFF) library and associated tools (CVE Mitre, NVD).

The vulnerability exists in the tiffcrop utility (tools/tiffcrop.c) where a crafted file could supply invalid cropwidth and/or croplength values. These values are computed prior to sanity checks, which can subsequently cause out-of-bounds reads in the reverseSamples16bits() function. The issue was addressed in libtiff version 4.4.0rc1 (Red Hat Bugzilla).

When exploited, this vulnerability can cause the application to crash, resulting in a denial of service (DoS) condition. The impact occurs when an attacker supplies a specially crafted TIFF file to the tiffcrop utility (Debian Security).

Multiple vendors have released patches to address this vulnerability. Debian released version 4.2.0-1+deb11u3 for the stable distribution (bullseye), Red Hat addressed it in RHSA-2023:0095, and the upstream fix was included in libtiff version 4.4.0rc1. Users are recommended to upgrade their tiff packages to the latest available versions (Debian LTS, Red Hat Bugzilla).