CVE-2023-0798
Description
LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3400, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
20- osv-coords18 versionspkg:rpm/almalinux/libtiffpkg:rpm/almalinux/libtiff-develpkg:rpm/almalinux/libtiff-toolspkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/tiff&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5
< 4.4.0-8.el9_2+ 17 more
- (no CPE)range: < 4.4.0-8.el9_2
- (no CPE)range: < 4.4.0-8.el9_2
- (no CPE)range: < 4.4.0-8.el9_2
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.5.0-3.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-44.68.1
- (no CPE)range: < 4.0.9-44.68.1
- (no CPE)range: < 4.0.9-44.68.1
Patches
Vulnerability mechanics
Root cause
"rotateImage() unconditionally swapped global image dimensions (width/length) even when operating on a sub-region, corrupting the geometry used by downstream extraction functions and causing an out-of-bounds read."
Attack vector
An attacker supplies a crafted TIFF file and invokes `tiffcrop` with options such as `-e multiple -Z 1:4,3:3 -R 270` to trigger cropping and rotation [ref_id=2]. The tool processes the malformed image, and during rotation of a sub-region the `rotateImage()` function incorrectly updates the global `image->width` and `image->length` values. When `extractContigSamplesShifted8bits` later reads pixel data using these corrupted dimensions, it accesses memory beyond the allocated buffer, causing a segmentation fault [ref_id=1][ref_id=2]. No authentication or special privileges are required; the attacker only needs to deliver the file to a victim who runs `tiffcrop` on it.
Affected code
The out-of-bounds read occurs in `extractContigSamplesShifted8bits` at line 3400 of `tools/tiffcrop.c` [ref_id=2]. The call chain is `main` → `processCropSelections` → `extractSeparateRegion` → `extractContigSamplesShifted8bits` [ref_id=2]. The root cause is that `rotateImage()` previously unconditionally swapped `image->width` and `image->length` even when operating on a sub-region, corrupting the image geometry used by downstream extraction functions [ref_id=1].
What the fix does
The patch adds a `rot_image_params` parameter to `rotateImage()` [ref_id=1]. When this flag is `FALSE` (sub-region rotation), the function no longer modifies `image->width`, `image->length`, `image->xres`, or `image->yres`; it only updates the local width/length pointers [ref_id=1]. Callers that rotate the whole image pass `TRUE`, preserving the old behavior. This prevents the global image dimensions from being corrupted during sub-region rotation, which in turn avoids the out-of-bounds read in `extractContigSamplesShifted8bits` [ref_id=1][ref_id=2].
Preconditions
- inputVictim must run tiffcrop on a crafted TIFF file with options that trigger cropping and rotation (e.g., -e multiple -Z ... -R 270)
- inputThe crafted TIFF file must contain malformed tags (e.g., incorrect StripOffsets/StripByteCounts) that cause the image geometry to be inconsistent
Reproduction
Build libtiff with AddressSanitizer: `CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared && make -j && make install`. Then run: `./build_asan/bin/tiffcrop -e multiple -Z 1:4,3:3 -R 270 -i poc /tmp/foo` using the attached `poc.zip` file [ref_id=2]. The tool will crash with a SEGV in `extractContigSamplesShifted8bits` at line 3400 [ref_id=2].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- security.gentoo.org/glsa/202305-31mitrevendor-advisory
- www.debian.org/security/2023/dsa-5361mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2023/02/msg00026.htmlmitremailing-list
- gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0798.jsonmitre
- gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68mitre
- gitlab.com/libtiff/libtiff/-/issues/492mitre
- security.netapp.com/advisory/ntap-20230316-0003/mitre
News mentions
0No linked articles in our index yet.