CVE-2023-0799
Description
LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3701, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
20- osv-coords18 versionspkg:rpm/almalinux/libtiffpkg:rpm/almalinux/libtiff-develpkg:rpm/almalinux/libtiff-toolspkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/tiff&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5
< 4.4.0-8.el9_2+ 17 more
- (no CPE)range: < 4.4.0-8.el9_2
- (no CPE)range: < 4.4.0-8.el9_2
- (no CPE)range: < 4.4.0-8.el9_2
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.5.0-3.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-44.68.1
- (no CPE)range: < 4.0.9-44.68.1
- (no CPE)range: < 4.0.9-44.68.1
Patches
Vulnerability mechanics
Root cause
"Use-after-free in `rotateImage()` where a crop region's buffer is freed but later accessed by `extractContigSamplesShifted32bits`."
Attack vector
An attacker supplies a crafted TIFF file and invokes `tiffcrop` with options such as `-e multiple -z ... -R 270` to trigger cropping and rotation [ref_id=2]. The tool processes the image through `processCropSelections`, which calls `rotateImage()` on a crop region; `rotateImage()` frees the region's buffer while the code later reads from the same freed pointer in `extractContigSamplesShifted32bits` [ref_id=2]. This heap-use-after-free results in a denial-of-service (crash) when the attacker's file is processed [ref_id=2]. No authentication or special privileges are required beyond the ability to supply the malicious TIFF to the `tiffcrop` utility.
Affected code
The out-of-bounds read occurs in `extractContigSamplesShifted32bits` at `tools/tiffcrop.c:3701` [ref_id=2]. The root cause is a use-after-free: `rotateImage()` frees the buffer previously allocated for a crop region, but the code in `processCropSelections` and `extractSeparateRegion` continues to access the freed buffer via `crop->regionlist[i].buffptr` [ref_id=2]. The patch modifies `rotateImage()` to accept a new `rot_image_params` parameter and stops unconditionally swapping `image->width`/`image->length`/resolution values when rotating individual crop regions, preventing the premature free that leads to the use-after-free [patch_id=afaabc3e].
What the fix does
The patch adds a `rot_image_params` parameter to `rotateImage()` and passes `TRUE` only when rotating the whole input image, not individual crop regions [patch_id=afaabc3e]. Previously `rotateImage()` always swapped `image->width`, `image->length`, and resolution values, which could cause the buffer to be freed prematurely. By guarding those assignments with `if (rot_image_params)`, the fix ensures that when rotating a sub-region the image-level parameters are not toggled, preventing the use-after-free in `extractContigSamplesShifted32bits` [patch_id=afaabc3e][ref_id=2].
Preconditions
- inputAttacker must supply a crafted TIFF file that triggers the crop-and-rotate code path.
- configThe tiffcrop utility must be invoked with crop options (e.g., -e multiple -z ... -R 270) that cause rotation of individual crop regions.
Reproduction
Build libtiff with AddressSanitizer enabled (`CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared; make -j; make install`). Run: `./build_asan/bin/tiffcrop -e multiple -z 1,1,2048,2048:1,2049,2048,4097 -R 270 -i poc /tmp/foo` using the provided `poc.zip` file [ref_id=2]. The tool will crash with a heap-use-after-free at `tools/tiffcrop.c:3701` in `extractContigSamplesShifted32bits` [ref_id=2].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- security.gentoo.org/glsa/202305-31mitrevendor-advisory
- www.debian.org/security/2023/dsa-5361mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2023/02/msg00026.htmlmitremailing-list
- gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0799.jsonmitre
- gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68mitre
- gitlab.com/libtiff/libtiff/-/issues/494mitre
- security.netapp.com/advisory/ntap-20230316-0003/mitre
News mentions
0No linked articles in our index yet.