CVE-2023-25433
Description
libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
20- osv-coords18 versionspkg:rpm/almalinux/libtiffpkg:rpm/almalinux/libtiff-develpkg:rpm/almalinux/libtiff-toolspkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/tiff&distro=openSUSE%20Leap%20Micro%205.4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tiff&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5
< 4.0.9-32.el8_10+ 17 more
- (no CPE)range: < 4.0.9-32.el8_10
- (no CPE)range: < 4.0.9-32.el8_10
- (no CPE)range: < 4.0.9-32.el8_10
- (no CPE)range: < 4.0.9-150000.45.32.1
- (no CPE)range: < 4.0.9-150000.45.32.1
- (no CPE)range: < 4.0.9-150000.45.32.1
- (no CPE)range: < 4.0.9-150000.45.32.1
- (no CPE)range: < 4.0.9-150000.45.32.1
- (no CPE)range: < 4.0.9-150000.45.32.1
- (no CPE)range: < 4.0.9-150000.45.32.1
- (no CPE)range: < 4.0.9-150000.45.32.1
- (no CPE)range: < 4.0.9-150000.45.32.1
- (no CPE)range: < 4.0.9-150000.45.32.1
- (no CPE)range: < 4.0.9-150000.45.32.1
- (no CPE)range: < 4.0.9-150000.45.32.1
- (no CPE)range: < 4.0.9-44.71.1
- (no CPE)range: < 4.0.9-44.71.1
- (no CPE)range: < 4.0.9-44.71.1
Patches
Vulnerability mechanics
Root cause
"Incorrect updating of buffer size after rotateImage() in tiffcrop causes heap-buffer-overflow."
Attack vector
An attacker provides a crafted TIFF file and invokes `tiffcrop` with the `-Z` (crop zone) and `-R` (rotation) options, e.g. `-Z 12:50,12:99 -R 270` [ref_id=1]. The tool reads the malicious image, and during processing `rotateImage()` allocates a buffer based on the pre-rotation dimensions but does not adjust the stored buffer size to reflect the rotated dimensions [ref_id=1]. When `processCropSelections()` later calls `memset` on that buffer using the (now-incorrect) larger size, it writes past the end of the allocated heap region, causing a heap-buffer-overflow and SIGSEGV [ref_id=1]. No authentication or special privileges are required beyond the ability to run `tiffcrop` on the attacker-supplied file.
Affected code
The vulnerability is in `/libtiff/tools/tiffcrop.c` at line 8499 within the `processCropSelections()` function [ref_id=1]. The ASAN report shows the heap-buffer-overflow occurs during a `memset` call in `processCropSelections`, and the undersized buffer was allocated by `rotateImage()` at line 9605 [ref_id=1]. The root cause is that `rotateImage()` does not correctly update the buffer size metadata after rotation, so the subsequent `memset` in `processCropSelections` writes beyond the allocated region.
What the fix does
The issue report does not include a patch; it documents the heap-buffer-overflow in `processCropSelections()` at line 8499 of `tiffcrop.c` caused by `rotateImage()` failing to update the buffer size after rotation [ref_id=1]. The advisory does not specify a fix. To remediate, the `rotateImage()` function must recalculate and store the new buffer dimensions so that subsequent operations like `memset` in `processCropSelections()` use the correct allocated size [ref_id=1].
Preconditions
- inputAttacker must supply a crafted TIFF file that triggers the crop/rotation code path.
- configThe tiffcrop tool must be invoked with both -Z (crop zone) and -R (rotation) options.
Reproduction
Build libtiff from source (version 4.5.0, commit a63e18ca) with AddressSanitizer enabled. Run: `./tools/tiffcrop -Z 12:50,12:99 -R 270 poc /dev/null` where `poc` is the crafted TIFF file attached to the issue [ref_id=1]. The tool will crash with SIGSEGV, and under ASAN it reports a heap-buffer-overflow in `processCropSelections()` at line 8499 [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.