CVE-2022-43602: 
NixOS vulnerability analysis and mitigation

Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. The vulnerability (CVE-2022-43602) specifically occurs when the ymax variable is set to 0xFFFF and m_spec.format is TypeDesc::UINT8. This vulnerability was discovered and reported by Cisco Talos on December 22, 2022 (Talos Report).

The vulnerability arises in the IFFOutput::close() function when processing image data with TypeDesc::UINT8 format. When the ymax variable (uint16_t) is set to 0xFFFF, it creates an infinite loop condition due to integer wraparound, as the loop condition (py <= ymax) never becomes false. This results in continuous writes to the buffer beyond its allocated size, causing a heap buffer overflow. The vulnerability has a CVSS v3.1 score of 8.1 (HIGH) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H and is classified as CWE-122 (Heap-based Buffer Overflow) (NVD).

The vulnerability can lead to heap buffer overflow, which could potentially result in arbitrary code execution. Since OpenImageIO is a library used by various 3D-processing software including AliceVision (Meshroom) and Blender for reading image files, the impact could be significant if exploited (Talos Report).

The vulnerability was patched in OpenImageIO version 2.4.6.0. Users are advised to upgrade to this or later versions. Debian users should upgrade to version 2.2.10.1+dfsg-1+deb11u1 in the stable distribution (bullseye) (Debian Advisory). Gentoo users should upgrade to version >= 2.4.6.0 (Gentoo Advisory).