CVE-2023-6277

2023-11-2400:00:00

ubuntu.com

libtiff

out-of-memory

denial of service

remote attacker

crafted input

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

6.4 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.0%

JSON

An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to
TIFFOpen() API may allow a remote attacker to cause a denial of service via
a craft input with size smaller than 379 KB.

Bugs

Notes

Author	Note
	Priority reason: Minor issue, only a OOM DoS
rodrigo-zaiden	the first commit was claimed to introduce regressions, so we should consider the follow up commits that makes the check a bit less restrictive. one of the regressions was caught by debian in libimager-perl, https://bugs.debian.org/1057270. with the proposed follow up commits, we should be clear wit that regression

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchtiff< 4.0.9-5ubuntu0.10+esm5UNKNOWN
ubuntu20.04noarchtiff< 4.1.0+git191117-2ubuntu0.20.04.12UNKNOWN
ubuntu22.04noarchtiff< 4.3.0-6ubuntu0.8UNKNOWN
ubuntu23.10noarchtiff< 4.5.1+git230720-1ubuntu1.1UNKNOWN
ubuntu14.04noarchtiff< 4.0.3-7ubuntu0.11+esm12UNKNOWN
ubuntu16.04noarchtiff< 4.0.6-1ubuntu0.8+esm15UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	tiff	< 4.0.9-5ubuntu0.10+esm5	UNKNOWN
ubuntu	20.04	noarch	tiff	< 4.1.0+git191117-2ubuntu0.20.04.12	UNKNOWN
ubuntu	22.04	noarch	tiff	< 4.3.0-6ubuntu0.8	UNKNOWN
ubuntu	23.10	noarch	tiff	< 4.5.1+git230720-1ubuntu1.1	UNKNOWN
ubuntu	14.04	noarch	tiff	< 4.0.3-7ubuntu0.11+esm12	UNKNOWN
ubuntu	16.04	noarch	tiff	< 4.0.6-1ubuntu0.8+esm15	UNKNOWN