CVE-2022-41977: 
NixOS vulnerability analysis and mitigation

An out-of-bounds read vulnerability (CVE-2022-41977) exists in OpenImageIO version v2.3.19.0 in the way it processes string fields in TIFF image files. The vulnerability was discovered by Lilith of Cisco Talos and was publicly disclosed on December 22, 2022. The affected versions include OpenImageIO master-branch-9aeece7a and v2.3.19.0 (Talos Report).

The vulnerability occurs in the TIFF file string field processing where the library creates a stringview with a fixed length of 20 bytes for TIFFTAGDATETIME fields, regardless of the actual data length in the file. If the TIFF file contains a TIFFTAGDATETIME directory with a size less than 20 bytes, it results in an out-of-bounds read on the heap. The vulnerability has been assigned a CVSSv3 score of 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) and is classified as CWE-125 (Out-of-bounds Read) ([Talos Report](https://talosintelligence.com/vulnerabilityreports/TALOS-2022-1627)).

This vulnerability results in an out-of-bounds read of adjacent heap data which can contain sensitive process information. When combined with other vulnerabilities, it could potentially be used as an information leak exploit component to bypass security mitigations (Talos Report).

The vulnerability was patched in the vendor release on November 1, 2022. Users are recommended to upgrade to a patched version of OpenImageIO. For Debian systems, the fix is available in version 2.2.10.1+dfsg-1+deb11u1 for the stable distribution (bullseye) (Debian Advisory).