CVE-2022-43597: 
NixOS vulnerability analysis and mitigation

Multiple memory corruption vulnerabilities exist in the IFFOutput alignment padding functionality of OpenImageIO Project OpenImageIO v2.4.4.2. The vulnerability, tracked as CVE-2022-43597, was discovered in December 2022 and affects the image processing library's ability to handle certain file formats. The vulnerability specifically arises when the m_spec.format is TypeDesc::UINT8 and can lead to arbitrary code execution through specially crafted ImageOutput Objects (Talos Report).

The vulnerability occurs in the IFFOutput alignment padding functionality when processing image data. When handling 8-bit data (TypeDesc::UINT8) with RLE compression, the code fails to properly resize the scratch vector before adding padding bytes, resulting in a heap buffer overflow. The vulnerability has a CVSS v3.1 base score of 8.1 (HIGH) with the vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. It is classified as CWE-122: Heap-based Buffer Overflow (NVD, Talos Report).

The vulnerability can lead to arbitrary code execution when a specially crafted ImageOutput Object is processed. An attacker who can control the input file or specification used to generate an ImageOutput object can trigger these vulnerabilities, potentially leading to system compromise (Talos Report).

The vulnerability was patched in the vendor release on December 3, 2022. Users are recommended to upgrade to a version newer than v2.4.4.2. Debian users should upgrade to version 2.2.10.1+dfsg-1+deb11u1 in the stable distribution (bullseye). Gentoo users should upgrade to version 2.4.6.0 or later (Debian Advisory, Gentoo Advisory).