CVE-2022-43603: 
NixOS vulnerability analysis and mitigation

A denial of service vulnerability exists in the ZfileOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. The vulnerability, identified as CVE-2022-43603, was discovered by Lilith of Cisco Talos and publicly disclosed on December 22, 2022. The vulnerability affects OpenImageIO, which is an image processing library utilized by 3D-processing software from AliceVision (including Meshroom) and Blender for reading Photoshop .psd files (Talos Report).

The vulnerability exists in the ZfileOutput::close() functionality where a NULL pointer dereference can occur. When the ZfileOutput::open() function returns false, the mtilebuffer vector remains uninitialized with size 0 and a null pointer for its data. During the close operation, the program attempts to copy from around the NULL page, leading to a segmentation fault. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue is classified as CWE-476 (NULL Pointer Dereference) ([Talos Report](https://talosintelligence.com/vulnerabilityreports/TALOS-2022-1657), NVD).

The vulnerability can lead to denial of service when an attacker provides a malicious file to trigger the vulnerability. When exploited, the application will crash due to the NULL pointer dereference (Talos Report).

The vulnerability has been patched in various distributions. Debian has fixed the issue in version 2.2.10.1+dfsg-1+deb11u1 for the stable distribution (bullseye). Gentoo users should upgrade to version >= 2.4.6.0 of media-libs/openimageio (Debian Advisory, Gentoo Advisory).