CVE-2023-26966

An attacker provides a crafted little-endian TIFF file with a corrupted directory structure (e.g., invalid directory count and unsorted tags) [ref_id=1]. When `tiffcrop` is invoked with the `-B` flag (specifying big-endian output), the tool attempts to re-encode the image data, which reaches the LogLuv encoding path [ref_id=1]. The corrupted input causes an out-of-bounds read in `uv_encode()`, leading to a segmentation fault [ref_id=1]. No authentication or special privileges are required beyond opening the malicious file.

The crash occurs in `uv_encode()` at `libtiff/tif_luv.c:961`, called via `LogLuv24fromXYZ` (line 1057), `Luv24fromXYZ` (line 1120), `LogLuvEncode24` (line 569), and `LogLuvEncodeStrip` (line 722) [ref_id=1]. The tool `tiffcrop` triggers the bug through `writeBufferToContigStrips` and `writeCroppedImage` [ref_id=1].

The issue report does not include a patch; it documents a SEGV in `uv_encode()` at `tif_luv.c:961` triggered by a corrupted TIFF file [ref_id=1]. The advisory does not specify a fix or remediation. As of the report, the vulnerability remains unpatched in libtiff 4.5.0 [ref_id=1].

Clone libtiff, configure, and build. Run: `./tools/tiffcrop -B poc temp` where `poc` is the supplied proof-of-concept file [ref_id=1]. The tool will emit TIFF warnings and then crash with SIGSEGV [ref_id=1].