CVE-2022-36354: 
NixOS vulnerability analysis and mitigation

A heap out-of-bounds read vulnerability (CVE-2022-36354) was discovered in the RLA format parser of OpenImageIO versions master-branch-9aeece7a and v2.3.19.0. The vulnerability specifically affects the handling of run-length encoded byte spans in RLA files. The vulnerability was discovered by Lilith of Cisco Talos and publicly disclosed on December 22, 2022 (Talos Report).

The vulnerability exists in the way run-length encoded byte spans are handled within the RLA format parser. The issue occurs in the decoderlespan function where an off-by-one error can lead to reading beyond the allocated buffer boundaries. When processing RLA files, if e equals elen-1, the subsequent e++ operation results in accessing memory outside the buffer's bounds. The vulnerability has been assigned a CVSS v3.1 score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) and is classified as CWE-193 (Off-by-one Error) (Talos Report).

When exploited, this vulnerability can result in sensitive information leakage through an out-of-bounds read of heap metadata. While each instance only leaks one byte, the decoderlespan function is called multiple times during processing, potentially leading to a significant amount of heap data being exposed. This could be particularly dangerous when combined with other vulnerabilities as an information leak component to bypass security mitigations (Talos Report).

The vulnerability was patched with a vendor release on November 1, 2022. Users are advised to update to a version newer than v2.3.19.0 to address this security issue (Talos Report).