CVE-2022-41988: 
NixOS vulnerability analysis and mitigation

An information disclosure vulnerability (CVE-2022-41988) exists in the OpenImageIO::decodeiptciim() functionality of OpenImageIO Project OpenImageIO v2.3.19.0. The vulnerability was discovered by Lilith of Cisco Talos and publicly disclosed on December 22, 2022. This vulnerability affects the image processing library OpenImageIO, which is utilized by 3D-processing software from AliceVision (including Meshroom) and Blender for reading Photoshop .psd files (Talos Report).

The vulnerability exists in the TIFF IPTC decoding functionality where a specially-crafted TIFF file can trigger an out-of-bounds heap read. The issue occurs in the decodeiptciim() function where there's no validation between the tag size calculation and string creation, allowing for a controlled read beyond allocated memory. The vulnerability has been assigned a CVSSv3 score of 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) and is classified as CWE-125 (Out-of-bounds Read) (Talos Report).

When exploited, this vulnerability can lead to the disclosure of sensitive information through a specially-crafted TIFF file. The attacker can provide a malicious file to trigger the vulnerability and potentially access data beyond the intended boundaries (Talos Report).

The vulnerability has been fixed in OpenImageIO release v2.4.4.2 and in the master branch. The fix was implemented through a commit (e9103925bb2aeed36b01b3805f36959f5d1a2e18) that addresses the validation issue in the IPTC decoding functionality. Users are advised to upgrade to version 2.4.4.2 or later to mitigate this vulnerability (Talos Report, Debian Security).