Ubuntu.comUB:CVE-2023-1916CVE-2023-1916
6.1 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
3.3 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:N/A:P
0.0004 Low
EPSS
Percentile
9.6%
A flaw was found in tiffcrop, a program distributed by the libtiff package.
A specially crafted tiff file can lead to an out-of-bounds read in the
extractImageSection function in tools/tiffcrop.c, resulting in a denial of
service and limited information disclosure. This issue affects libtiff
versions 4.x.
Bugs
- <https://gitlab.com/libtiff/libtiff/-/issues/536>
- <https://gitlab.com/libtiff/libtiff/-/issues/537>
Notes
| Author | Note |
|---|---|
| mdeslaur | low security impact as it is a denial of service in a command- line tool only, marking as low priority |
| ccdm94 | As of 2023-08-22, the fix for this issue seems to have not been merged (https://gitlab.com/libtiff/libtiff/-/merge_requests/476). |
| mdeslaur | There is a new merge request here: https://gitlab.com/libtiff/libtiff/-/merge_requests/535 Since the tiffcrop tool has been removed, the merge request will go nowhere, but can likely be used to fix previous releases. |
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 18.04 | noarch | tiff | < 4.0.9-5ubuntu0.10+esm3) Available with Ubuntu Pro or Ubuntu Pro (Infra-only | UNKNOWN |
| ubuntu | 20.04 | noarch | tiff | < 4.1.0+git191117-2ubuntu0.20.04.10 | UNKNOWN |
| ubuntu | 22.04 | noarch | tiff | < 4.3.0-6ubuntu0.6 | UNKNOWN |
| ubuntu | 23.04 | noarch | tiff | < 4.5.0-5ubuntu1.2 | UNKNOWN |
| ubuntu | 23.10 | noarch | tiff | < any | UNKNOWN |
| ubuntu | 24.04 | noarch | tiff | < any | UNKNOWN |
| ubuntu | 14.04 | noarch | tiff | < 4.0.3-7ubuntu0.11+esm10) Available with Ubuntu Pro or Ubuntu Pro (Infra-only | UNKNOWN |
| ubuntu | 16.04 | noarch | tiff | < 4.0.6-1ubuntu0.8+esm13) Available with Ubuntu Pro or Ubuntu Pro (Infra-only | UNKNOWN |
Related
6.1 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
3.3 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:N/A:P
0.0004 Low
EPSS
Percentile
9.6%