CVE-2022-43599: 
NixOS vulnerability analysis and mitigation

Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to a heap buffer overflow. This vulnerability specifically arises when the xmax variable is set to 0xFFFF and m_spec.format is TypeDesc::UINT8. The vulnerability was discovered by Lilith of Cisco Talos and was publicly disclosed on December 22, 2022 (Talos Report).

The vulnerability exists in the image processing functionality of OpenImageIO, specifically in the IFFOutput::close() method. When processing image data with TypeDesc::UINT8 format and RLE compression, the code uses uint16_t variables for pixel coordinates (xmax, ymax). If xmax is set to 0xFFFF, the loop condition (px <= xmax) creates an infinite loop due to integer wraparound, leading to a heap buffer overflow. The vulnerability has a CVSS v3.1 Base Score of 8.1 HIGH (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified as CWE-122 (Heap-based Buffer Overflow) (Talos Report).

The vulnerability can lead to heap buffer overflow conditions, potentially resulting in arbitrary code execution, application crashes, or denial of service. Since OpenImageIO is a library utilized by various 3D-processing software including AliceVision (Meshroom) and Blender for reading Photoshop .psd files, the impact could affect multiple dependent applications (Talos Report).

The vulnerability has been patched in newer versions of OpenImageIO. Users are recommended to upgrade to version 2.4.6.0 or later. Debian users should upgrade to version 2.2.10.1+dfsg-1+deb11u1 in the stable distribution (bullseye) (Debian Advisory, Gentoo Advisory).