CVE-2023-0804
Description
LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3609, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
20- osv-coords18 versionspkg:rpm/almalinux/libtiffpkg:rpm/almalinux/libtiff-develpkg:rpm/almalinux/libtiff-toolspkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/tiff&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5
< 4.4.0-8.el9_2+ 17 more
- (no CPE)range: < 4.4.0-8.el9_2
- (no CPE)range: < 4.4.0-8.el9_2
- (no CPE)range: < 4.4.0-8.el9_2
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.5.0-3.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-150000.45.28.1
- (no CPE)range: < 4.0.9-44.68.1
- (no CPE)range: < 4.0.9-44.68.1
- (no CPE)range: < 4.0.9-44.68.1
Patches
Vulnerability mechanics
Root cause
"Missing validation that all composite regions have equal width or length before pixel extraction, leading to an out-of-bounds write in extractContigSamplesShifted24bits."
Attack vector
An attacker supplies a crafted TIFF file with multiple crop regions of unequal width or length when using the `-E` (edge) composite mode of tiffcrop [ref_id=1][ref_id=2]. The tool fails to validate that all regions have consistent dimensions before copying pixel data, causing `extractContigSamplesShifted24bits` to write past the allocated buffer [ref_id=2]. The attack is triggered by running `tiffcrop -E right -z ... -i -s crafted.tif output.tif` [ref_id=2]. No authentication or special privileges are required; the attacker only needs to deliver the malformed file to a victim who processes it with tiffcrop.
Affected code
The out-of-bounds write occurs in `extractContigSamplesShifted24bits` at `tools/tiffcrop.c:3609` [ref_id=2]. The call chain is `main` → `processCropSelections` → `extractCompositeRegions` → `extractContigSamplesShifted24bits` [ref_id=2]. The patch modifies `computeInputPixelOffsets` and `extractCompositeRegions` in the same file to add consistency checks on region dimensions before composite processing [ref_id=1].
What the fix does
The patch adds dimension-consistency checks in two functions. In `computeInputPixelOffsets`, after computing each region's `buffsize`, the code now verifies that for `EDGE_LEFT`/`EDGE_RIGHT` all regions have equal `zlength` and for `EDGE_TOP`/`EDGE_BOTTOM` all regions have equal `zwidth`, returning an error if they differ [ref_id=1]. In `extractCompositeRegions`, a new upfront loop checks that all region widths (for top/bottom) or lengths (for left/right) match before any pixel extraction begins, and the existing per-iteration comparison was corrected from comparing against the previous region to comparing against the next region [ref_id=1]. These checks prevent the buffer overrun by rejecting composite operations with mismatched region sizes.
Preconditions
- inputVictim runs tiffcrop with the -E (edge) composite option and a crafted TIFF file containing multiple crop regions of unequal dimensions
- inputThe crafted TIFF file must specify at least two crop regions with mismatched widths or lengths via the -z parameter
Reproduction
Build libtiff with AddressSanitizer (`CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --disable-shared; make`). Run: `./build_asan/bin/tiffcrop -E right -z 1,1,2048,2048:1,2049,2048,4097 -i -s poc /tmp/foo` using the attached poc.zip [ref_id=2]. The tool will crash with a heap-buffer-overflow at `extractContigSamplesShifted24bits` in `tiffcrop.c:3609` [ref_id=2].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FBF3UUFSB6NB3NFTQSKOOIZGXJP3T34Z/mitrevendor-advisory
- security.gentoo.org/glsa/202305-31mitrevendor-advisory
- www.debian.org/security/2023/dsa-5361mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2023/02/msg00026.htmlmitremailing-list
- gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0804.jsonmitre
- gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00mitre
- gitlab.com/libtiff/libtiff/-/issues/497mitre
- security.netapp.com/advisory/ntap-20230324-0009/mitre
News mentions
0No linked articles in our index yet.