{"id":"USN-5714-1","summary":"tiff vulnerabilities","details":"It was discovered that LibTIFF incorrectly handled certain memory operations\nwhen using tiffcrop. An attacker could trick a user into processing a specially\ncrafted tiff image file and potentially use this issue to cause a denial of\nservice. This issue only affected Ubuntu 22.10. (CVE-2022-2519, CVE-2022-2520,\nCVE-2022-2521, CVE-2022-2953)\n\nIt was discovered that LibTIFF did not properly perform bounds checking in\ncertain operations when using tiffcrop. An attacker could trick a user into\nprocessing a specially crafted tiff image file and potentially use this issue\nto allow for information disclosure or to cause the application to crash. This\nissue only affected to Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.\n(CVE-2022-2867, CVE-2022-2868, CVE-2022-2869)\n\nIt was discovered that LibTIFF did not properly perform bounds checking in\ncertain operations when using tiffsplit. An attacker could trick a user into\nprocessing a specially crafted tiff image file and potentially use this issue\nto allow for information disclosure or to cause the application to crash. This\nissue only affected to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS,\nUbuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-34526)\n\nChintan Shah discovered that LibTIFF incorrectly handled memory in certain\nconditions when using tiffcrop. An attacker could trick a user into processing\na specially crafted image file and potentially use this issue to allow for\ninformation disclosure or to cause the application to crash. This issue only\naffected to Ubuntu 14.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04\nLTS and Ubuntu 22.10. (CVE-2022-3570)\n\nIt was discovered that LibTIFF incorrectly handled memory in certain conditions\nwhen using tiffcrop. An attacker could trick a user into processing a specially\ncrafted tiff file and potentially use this issue to cause a denial of service.\nThis issue only affected to Ubuntu 14.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04\nLTS, Ubuntu 22.04 LTS and Ubuntu 22.10. (CVE-2022-3598)\n\nIt was discovered that LibTIFF did not properly perform bounds checking in      \ncertain operations when using tiffcrop. An attacker could trick a user into     \nprocessing a specially crafted tiff image file and potentially use this issue   \nto allow for information disclosure or to cause the application to crash.\n(CVE-2022-3599)\n\nIt was discovered that LibTIFF did not properly perform bounds checking in\ncertain operations when using tiffcrop. An attacker could trick a user into\nprocessing a specially crafted tiff image file and potentially use this issue\nto allow for information disclosure or to cause the application to crash. This\nissue only affected to Ubuntu 22.10. (CVE-2022-3597, CVE-2022-3626,\nCVE-2022-3627)\n","modified":"2026-02-10T04:42:49Z","published":"2022-11-08T08:13:42Z","related":["UBUNTU-CVE-2022-2867","UBUNTU-CVE-2022-2868","UBUNTU-CVE-2022-2869","UBUNTU-CVE-2022-34526","UBUNTU-CVE-2022-3570","UBUNTU-CVE-2022-3598","UBUNTU-CVE-2022-3599"],"upstream":["CVE-2022-2867","CVE-2022-2868","CVE-2022-2869","CVE-2022-34526","CVE-2022-3570","CVE-2022-3598","CVE-2022-3599","UBUNTU-CVE-2022-2519","UBUNTU-CVE-2022-2520","UBUNTU-CVE-2022-2521","UBUNTU-CVE-2022-2867","UBUNTU-CVE-2022-2868","UBUNTU-CVE-2022-2869","UBUNTU-CVE-2022-2953","UBUNTU-CVE-2022-34526","UBUNTU-CVE-2022-3570","UBUNTU-CVE-2022-3597","UBUNTU-CVE-2022-3598","UBUNTU-CVE-2022-3599","UBUNTU-CVE-2022-3626","UBUNTU-CVE-2022-3627"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-5714-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-2519"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-2520"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-2521"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-2867"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-2868"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-2869"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-2953"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-3570"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-3597"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-3598"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-3599"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-3626"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-3627"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-34526"}],"affected":[{"package":{"name":"tiff","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/tiff@4.0.3-7ubuntu0.11+esm5?arch=source&distro=trusty/esm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.0.3-7ubuntu0.11+esm5"}]}],"versions":["4.0.2-4ubuntu3","4.0.3-5ubuntu1","4.0.3-6","4.0.3-6ubuntu1","4.0.3-7","4.0.3-7ubuntu0.1","4.0.3-7ubuntu0.2","4.0.3-7ubuntu0.3","4.0.3-7ubuntu0.4","4.0.3-7ubuntu0.6","4.0.3-7ubuntu0.7","4.0.3-7ubuntu0.8","4.0.3-7ubuntu0.9","4.0.3-7ubuntu0.10","4.0.3-7ubuntu0.11","4.0.3-7ubuntu0.11+esm1","4.0.3-7ubuntu0.11+esm2","4.0.3-7ubuntu0.11+esm3","4.0.3-7ubuntu0.11+esm4"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro","binaries":[{"binary_name":"libtiff-opengl","binary_version":"4.0.3-7ubuntu0.11+esm5"},{"binary_name":"libtiff-tools","binary_version":"4.0.3-7ubuntu0.11+esm5"},{"binary_name":"libtiff4-dev","binary_version":"4.0.3-7ubuntu0.11+esm5"},{"binary_name":"libtiff5","binary_version":"4.0.3-7ubuntu0.11+esm5"},{"binary_name":"libtiff5-alt-dev","binary_version":"4.0.3-7ubuntu0.11+esm5"},{"binary_name":"libtiff5-dev","binary_version":"4.0.3-7ubuntu0.11+esm5"},{"binary_name":"libtiffxx5","binary_version":"4.0.3-7ubuntu0.11+esm5"}]},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2022-3570","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2022-3598","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2022-3599","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2022-34526","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]}],"ecosystem":"Ubuntu:Pro:14.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5714-1.json"}},{"package":{"name":"tiff","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/tiff@4.0.6-1ubuntu0.8+esm7?arch=source&distro=esm-infra/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.0.6-1ubuntu0.8+esm7"}]}],"versions":["4.0.3-12.3ubuntu2","4.0.5-1","4.0.6-1","4.0.6-1ubuntu0.1","4.0.6-1ubuntu0.2","4.0.6-1ubuntu0.3","4.0.6-1ubuntu0.4","4.0.6-1ubuntu0.5","4.0.6-1ubuntu0.6","4.0.6-1ubuntu0.7","4.0.6-1ubuntu0.8","4.0.6-1ubuntu0.8+esm1","4.0.6-1ubuntu0.8+esm2","4.0.6-1ubuntu0.8+esm3","4.0.6-1ubuntu0.8+esm4","4.0.6-1ubuntu0.8+esm6"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro","binaries":[{"binary_name":"libtiff-opengl","binary_version":"4.0.6-1ubuntu0.8+esm7"},{"binary_name":"libtiff-tools","binary_version":"4.0.6-1ubuntu0.8+esm7"},{"binary_name":"libtiff5","binary_version":"4.0.6-1ubuntu0.8+esm7"},{"binary_name":"libtiff5-dev","binary_version":"4.0.6-1ubuntu0.8+esm7"},{"binary_name":"libtiffxx5","binary_version":"4.0.6-1ubuntu0.8+esm7"}]},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2022-3599","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2022-34526","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]}],"ecosystem":"Ubuntu:Pro:16.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5714-1.json"}},{"package":{"name":"tiff","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/tiff@4.0.9-5ubuntu0.8?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.0.9-5ubuntu0.8"}]}],"versions":["4.0.8-5","4.0.8-6","4.0.9-1","4.0.9-2","4.0.9-3","4.0.9-4","4.0.9-4ubuntu1","4.0.9-5","4.0.9-5ubuntu0.1","4.0.9-5ubuntu0.2","4.0.9-5ubuntu0.3","4.0.9-5ubuntu0.4","4.0.9-5ubuntu0.5","4.0.9-5ubuntu0.6","4.0.9-5ubuntu0.7"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"libtiff-dev","binary_version":"4.0.9-5ubuntu0.8"},{"binary_name":"libtiff-opengl","binary_version":"4.0.9-5ubuntu0.8"},{"binary_name":"libtiff-tools","binary_version":"4.0.9-5ubuntu0.8"},{"binary_name":"libtiff5","binary_version":"4.0.9-5ubuntu0.8"},{"binary_name":"libtiff5-dev","binary_version":"4.0.9-5ubuntu0.8"},{"binary_name":"libtiffxx5","binary_version":"4.0.9-5ubuntu0.8"}]},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2022-2867","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2022-2868","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2022-2869","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2022-3570","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2022-3598","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2022-3599","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2022-34526","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]}],"ecosystem":"Ubuntu:18.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5714-1.json"}},{"package":{"name":"tiff","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/tiff@4.1.0+git191117-2ubuntu0.20.04.6?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.1.0+git191117-2ubuntu0.20.04.6"}]}],"versions":["4.0.10+git191003-1","4.1.0+git191117-1","4.1.0+git191117-2","4.1.0+git191117-2build1","4.1.0+git191117-2ubuntu0.20.04.1","4.1.0+git191117-2ubuntu0.20.04.2","4.1.0+git191117-2ubuntu0.20.04.3","4.1.0+git191117-2ubuntu0.20.04.4","4.1.0+git191117-2ubuntu0.20.04.5"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"libtiff-dev","binary_version":"4.1.0+git191117-2ubuntu0.20.04.6"},{"binary_name":"libtiff-opengl","binary_version":"4.1.0+git191117-2ubuntu0.20.04.6"},{"binary_name":"libtiff-tools","binary_version":"4.1.0+git191117-2ubuntu0.20.04.6"},{"binary_name":"libtiff5","binary_version":"4.1.0+git191117-2ubuntu0.20.04.6"},{"binary_name":"libtiff5-dev","binary_version":"4.1.0+git191117-2ubuntu0.20.04.6"},{"binary_name":"libtiffxx5","binary_version":"4.1.0+git191117-2ubuntu0.20.04.6"}]},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2022-2867","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2022-2868","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2022-2869","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2022-3570","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2022-3598","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2022-3599","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2022-34526","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]}],"ecosystem":"Ubuntu:20.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5714-1.json"}},{"package":{"name":"tiff","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/tiff@4.3.0-6ubuntu0.2?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.3.0-6ubuntu0.2"}]}],"versions":["4.3.0-1","4.3.0-2","4.3.0-3","4.3.0-3build1","4.3.0-4","4.3.0-5","4.3.0-6","4.3.0-6ubuntu0.1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"libtiff-dev","binary_version":"4.3.0-6ubuntu0.2"},{"binary_name":"libtiff-opengl","binary_version":"4.3.0-6ubuntu0.2"},{"binary_name":"libtiff-tools","binary_version":"4.3.0-6ubuntu0.2"},{"binary_name":"libtiff5","binary_version":"4.3.0-6ubuntu0.2"},{"binary_name":"libtiff5-dev","binary_version":"4.3.0-6ubuntu0.2"},{"binary_name":"libtiffxx5","binary_version":"4.3.0-6ubuntu0.2"}]},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2022-2867","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2022-2868","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2022-2869","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2022-3570","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2022-3598","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2022-3599","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2022-34526","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]}],"ecosystem":"Ubuntu:22.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5714-1.json"}}],"schema_version":"1.7.3"}