Alpine: libtiffxx, multiple tiff packages: security update to 4.3.0-r1

high Tenable Cloud Security Plugin ID 424616

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A heap buffer overflow in ExtractImageSection function in tiffcrop.c in libtiff library Version 4.3.0
allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could
result into application crash, potential information disclosure or any other context-dependent impact
(CVE-2022-0891)

- Null source pointer passed as an argument to memcpy() function within TIFFFetchStripThing() in
tif_dirread.c in libtiff versions from 3.9.0 to 4.3.0 could lead to Denial of Service via crafted TIFF
file. For users that compile libtiff from sources, the fix is available with commit eecb0712.
(CVE-2022-0561)

- Null source pointer passed as an argument to memcpy() function within TIFFReadDirectory() in tif_dirread.c
in libtiff versions from 4.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file. For users
that compile libtiff from sources, a fix is available with commit 561599c. (CVE-2022-0562)

- Reachable Assertion in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted
tiff file. For users that compile libtiff from sources, the fix is available with commit 5e180045.
(CVE-2022-0865)

See Also

https://security.alpinelinux.org/vuln/CVE-2022-0561

https://security.alpinelinux.org/vuln/CVE-2022-0562

https://security.alpinelinux.org/vuln/CVE-2022-0865

https://security.alpinelinux.org/vuln/CVE-2022-0891

https://security.alpinelinux.org/vuln/CVE-2022-0907

https://security.alpinelinux.org/vuln/CVE-2022-0908

https://security.alpinelinux.org/vuln/CVE-2022-0909

https://security.alpinelinux.org/vuln/CVE-2022-0924

https://security.alpinelinux.org/vuln/CVE-2022-22844

https://security.alpinelinux.org/vuln/CVE-2022-34266

Plugin Details

Severity: High

ID: 424616

Version: Revision 1.7

Type: Local

Published: 4/4/2025

Updated: 5/30/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

Percentile: 96.8

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P

CVSS Score Source: CVE-2022-0891

CVSS v3

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 1/8/2022

Reference Information

CVE: CVE-2022-0561, CVE-2022-0562, CVE-2022-0865, CVE-2022-0891, CVE-2022-0907, CVE-2022-0908, CVE-2022-0909, CVE-2022-0924, CVE-2022-22844, CVE-2022-34266