CVE-2022-41649: 
NixOS vulnerability analysis and mitigation

A heap out of bounds read vulnerability exists in the handling of IPTC data while parsing TIFF images in OpenImageIO v2.3.19.0. The vulnerability, identified as CVE-2022-41649, was discovered by Cisco Talos and disclosed on December 22, 2022. A specially-crafted TIFF file can trigger this vulnerability, which affects OpenImageIO versions up to v2.3.19.0 (Talos Report).

The vulnerability occurs during the processing of IPTC data in TIFF images. When handling IPTC data, the code incorrectly calculates buffer sizes when casting from char to uint32_t, leading to a heap buffer overflow. This results in reading adjacent heap memory beyond the allocated buffer boundaries. The vulnerability has been assigned a CVSS score of 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is classified as CWE-125 (Out-of-bounds Read) (Talos Report).

When exploited, this vulnerability can cause a read of adjacent heap memory, potentially leaking sensitive process information. The impact is primarily focused on information disclosure, which could be leveraged by attackers to gather sensitive data about the running process (Talos Report).

The vulnerability has been fixed in the OpenImageIO master branch (Commit ID 9aeec7a). Users are advised to upgrade to the patched versions. Multiple distributions have released security updates, including Debian with version 2.2.10.1+dfsg-1+deb11u1 for bullseye and version 2.0.5~dfsg0-1+deb10u2 for buster (Debian Advisory, Debian Security).