CVE-2022-35019

Vulnerability

CVE-2022-35019 is a segmentation fault vulnerability discovered in Advancecomp version 2.3 [1]. The issue occurs in the advancecomp utility, which is used for compressing and recompressing PNG, MNG, and ZIP files. The exact vulnerable code path is not detailed in the available references, but the crash indicates improper memory handling when processing specially crafted input files [2].

Exploitation

An attacker can trigger the segmentation fault by providing a maliciously crafted file to advancecomp [1]. No authentication is required, as the tool processes files supplied by the user. The attack vector is local or remote, depending on how the tool is invoked (e.g., via a script or service that processes user-uploaded files). The user must invoke the tool or a service must use advancecomp on the attacker-supplied file, resulting in the crash [3].

Impact

Successful exploitation leads to a segmentation fault, causing the advancecomp process to terminate abnormally [1]. This results in a denial-of-service condition, potentially disrupting automated workflows that rely on the tool. No further impact (e.g., code execution, data corruption) is described in the available references.

Mitigation

As of the published date (August 2022), no official patch or updated version has been released for this specific issue [1]. Users are advised to monitor the official Advancecomp repository for updates. If possible, avoid processing untrusted files with advancecomp version 2.3 until a fix is available. Fedora package announcements referenced may contain updates or workarounds but were not accessible due to automated CAPTCHA barriers [2][3].