CVE-2023-0803
Description
LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3516, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
20- osv-coords18 versionspkg:rpm/almalinux/libtiffpkg:rpm/almalinux/libtiff-develpkg:rpm/almalinux/libtiff-toolspkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/tiff&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5
< 4.4.0-8.el9_2+ 17 more
- (no CPE)range: < 4.4.0-8.el9_2
- (no CPE)range: < 4.4.0-8.el9_2
- (no CPE)range: < 4.4.0-8.el9_2
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.5.0-3.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-44.68.1
- (no CPE)range: < 4.0.9-44.68.1
- (no CPE)range: < 4.0.9-44.68.1
Patches
Vulnerability mechanics
Root cause
"Missing validation that composite crop regions have equal widths or lengths before processing, allowing a heap-buffer-overflow write."
Attack vector
An attacker supplies a crafted TIFF file with composite crop regions of mismatched dimensions (e.g., different widths for `-E top` or different lengths for `-E left/right`) [ref_id=1][ref_id=2]. When `tiffcrop` is invoked with options such as `-E right -U in -z` and region coordinates that produce unequal region sizes, the missing validation in `extractCompositeRegions` allows a heap-buffer-overflow in `extractContigSamplesShifted16bits` [ref_id=2]. The attacker does not need authentication; the only precondition is that the victim runs `tiffcrop` on the malicious file [ref_id=2].
Affected code
The vulnerability resides in `tools/tiffcrop.c` at line 3516, in the function `extractContigSamplesShifted16bits` [ref_id=2]. The crash occurs when `extractCompositeRegions` (line 6801) calls this function without ensuring that the composite region dimensions are consistent, leading to an out-of-bounds write [ref_id=2]. The patch modifies `computeInputPixelOffsets` and `extractCompositeRegions` to validate that region widths/lengths are equal before processing composite images [ref_id=1].
What the fix does
The fix adds consistency checks in two functions. In `computeInputPixelOffsets`, when `crop->img_mode == COMPOSITE_IMAGES`, the patch verifies that for `EDGE_LEFT`/`EDGE_RIGHT` all regions have equal `zlength`, and for `EDGE_TOP`/`EDGE_BOTTOM` all regions have equal `zwidth`, returning an error if they differ [ref_id=1]. In `extractCompositeRegions`, a new upfront loop checks that all region widths (for top/bottom) or lengths (for left/right) match before any processing begins, and the existing per-iteration check is corrected to compare against the next region rather than the previous one [ref_id=1]. These changes prevent the buffer overrun by rejecting composite region sets with inconsistent dimensions.
Preconditions
- inputVictim must run tiffcrop on a crafted TIFF file with composite crop options (e.g., -E right -U in -z with mismatched region sizes)
- authNo authentication required; the tool is invoked on the attacker-supplied file
Reproduction
Build libtiff with AddressSanitizer (`CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --disable-shared; make`). Run: `./build_asan/bin/tiffcrop -E right -U in -z 1,1,2048,2048:1,2049,2048,4097 -i poc /tmp/foo` using the provided poc.zip file [ref_id=2]. The tool will output TIFF warnings and then crash with a heap-buffer-overflow in `extractContigSamplesShifted16bits` at `tiffcrop.c:3516` [ref_id=2].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- security.gentoo.org/glsa/202305-31mitrevendor-advisory
- www.debian.org/security/2023/dsa-5361mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2023/02/msg00026.htmlmitremailing-list
- gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0803.jsonmitre
- gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00mitre
- gitlab.com/libtiff/libtiff/-/issues/501mitre
- security.netapp.com/advisory/ntap-20230316-0002/mitre
News mentions
0No linked articles in our index yet.