CVE-2023-0796
Description
LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3592, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
20- osv-coords18 versionspkg:rpm/almalinux/libtiffpkg:rpm/almalinux/libtiff-develpkg:rpm/almalinux/libtiff-toolspkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/tiff&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5
< 4.4.0-8.el9_2+ 17 more
- (no CPE)range: < 4.4.0-8.el9_2
- (no CPE)range: < 4.4.0-8.el9_2
- (no CPE)range: < 4.4.0-8.el9_2
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.5.0-3.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-44.68.1
- (no CPE)range: < 4.0.9-44.68.1
- (no CPE)range: < 4.0.9-44.68.1
Patches
Vulnerability mechanics
Root cause
"Missing dimension-scope guard in rotateImage causes image-level width/length to be swapped when rotating a sub-region, leading to an out-of-bounds read in extractContigSamplesShifted24bits."
Attack vector
An attacker supplies a crafted TIFF file and invokes `tiffcrop` with options such as `-e multiple -z ... -R 270` to request cropping and rotation [ref_id=2]. The tool parses the malformed file, which contains invalid strip byte counts and other corrupt tags, and then attempts to extract and rotate sub-regions. During rotation of a sub-region, `rotateImage` incorrectly swaps the image dimensions stored in `image->width` and `image->length`, causing downstream code in `extractContigSamplesShifted24bits` to read beyond the allocated buffer [ref_id=1]. This results in a segmentation fault (denial of service) [ref_id=2].
Affected code
The out-of-bounds read occurs in `extractContigSamplesShifted24bits` at `tools/tiffcrop.c:3592` [ref_id=2]. The call chain is `main` → `processCropSelections` → `extractSeparateRegion` → `extractContigSamplesShifted24bits` [ref_id=2]. The patch modifies the `rotateImage` function signature and its callers to add a `rot_image_params` parameter, preventing `rotateImage` from unconditionally swapping `image->width` and `image->length` when operating on sub-regions rather than the whole image [ref_id=1].
What the fix does
The fix adds a `rot_image_params` parameter (type `int`) to `rotateImage` and its callers [ref_id=1]. When `rot_image_params` is `TRUE` (whole-image rotation), the function swaps `image->width`/`image->length` and the x/y resolutions as before. When `FALSE` (sub-region rotation), it only updates the local `*img_width`/`*img_length` pointers without modifying the image-level dimensions [ref_id=1]. This prevents the dimension mismatch that caused the out-of-bounds read in `extractContigSamplesShifted24bits`. The patch also removes redundant `buffsize` initialization in `initCropMasks` and cleans up unused variable declarations [ref_id=1].
Preconditions
- inputThe attacker must provide a crafted TIFF file that triggers invalid strip byte counts or other corrupt tags.
- inputThe victim must run tiffcrop with cropping and rotation options (e.g., -e multiple -z ... -R 270) on the crafted file.
Reproduction
Build libtiff with AddressSanitizer: `CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared && make -j && make install`. Then run: `./build_asan/bin/tiffcrop -e multiple -z 1,1,2048,2048:1,2049,2048,4097 -R 270 -i poc /tmp/foo` using the provided poc.zip [ref_id=2].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- security.gentoo.org/glsa/202305-31mitrevendor-advisory
- www.debian.org/security/2023/dsa-5361mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2023/02/msg00026.htmlmitremailing-list
- gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0796.jsonmitre
- gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68mitre
- gitlab.com/libtiff/libtiff/-/issues/499mitre
- security.netapp.com/advisory/ntap-20230316-0003/mitre
News mentions
0No linked articles in our index yet.