processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based buffer overflow (e.g., "WRITE of size 307203") via a crafted TIFF image. https://gitlab.com/libtiff/libtiff/-/issues/488 https://gitlab.com/libtiff/libtiff/-/commit/d1b6b9c1b3cae2d9e37754506c1ad8f4f7b646b5
Created iv tracking bugs for this issue: Affects: fedora-36 [bug 2163633] Affects: fedora-37 [bug 2163637] Created libtiff tracking bugs for this issue: Affects: fedora-36 [bug 2163634] Affects: fedora-37 [bug 2163638] Created mingw-libtiff tracking bugs for this issue: Affects: fedora-36 [bug 2163635] Affects: fedora-37 [bug 2163639] Created tkimg tracking bugs for this issue: Affects: fedora-36 [bug 2163636] Affects: fedora-37 [bug 2163640]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:3711 https://access.redhat.com/errata/RHSA-2023:3711
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:3827 https://access.redhat.com/errata/RHSA-2023:3827
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-48281
Creating rhel-7 tracker for customer requesting an out of scope escalation. INC2674682