CVE-2022-43592: 
NixOS vulnerability analysis and mitigation

An information disclosure vulnerability (CVE-2022-43592) exists in the DPXOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. The vulnerability allows a specially crafted ImageOutput Object to lead to leaked heap data when an attacker provides malicious input (Talos Report). The vulnerability was discovered on November 14, 2022, patched by the vendor on December 3, 2022, and publicly disclosed on December 22, 2022 (Talos Report).

The vulnerability exists in OpenImageIO, an image processing library used by 3D-processing software like AliceVision and Blender. The issue occurs when dealing with writing .dpx files, where a mismatch between TypeDesc formats (HALF to FLOAT conversion) leads to incorrect buffer size calculations. This results in reading twice as many bytes as allocated, causing an out-of-bounds heap read. The vulnerability has been assigned a CVSSv3 score of 5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) and is classified as CWE-125 (Out-of-bounds Read) (Talos Report).

The vulnerability can lead to information disclosure through leaked heap data when processing maliciously crafted input files. This could potentially expose sensitive information stored in memory to attackers (Talos Report).

The vulnerability has been fixed in updated versions of OpenImageIO. Users are recommended to upgrade to a version newer than v2.4.4.2. For Debian users, the fix is available in version 2.2.10.1+dfsg-1+deb11u1 (Debian Advisory).