First published: Mon Apr 10 2023(Updated: )
A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x.
Credit: CVE-2023-1916 CVE-2023-1916 secalert@redhat.com secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Libtiff Libtiff | >=4.0<=4.5.0 | |
Apple macOS Ventura | <13.5 | 13.5 |
Apple macOS Monterey | <12.6.8 | 12.6.8 |
ubuntu/tiff | <4.0.9-5ubuntu0.10+ | 4.0.9-5ubuntu0.10+ |
ubuntu/tiff | <4.1.0+ | 4.1.0+ |
ubuntu/tiff | <4.3.0-6ubuntu0.6 | 4.3.0-6ubuntu0.6 |
ubuntu/tiff | <4.5.0-5ubuntu1.2 | 4.5.0-5ubuntu1.2 |
ubuntu/tiff | <4.0.3-7ubuntu0.11+ | 4.0.3-7ubuntu0.11+ |
ubuntu/tiff | <4.0.6-1ubuntu0.8+ | 4.0.6-1ubuntu0.8+ |
debian/tiff | <=4.1.0+git191117-2~deb10u4<=4.1.0+git191117-2~deb10u8<=4.2.0-1+deb11u5<=4.5.0-6+deb12u1<=4.5.1+git230720-4 | |
IBM Cognos Analytics | <=12.0.0-12.0.3 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Found alongside the following vulnerabilities)
CVE-2023-1916 is a vulnerability found in the tiffcrop program distributed by the libtiff package.
CVE-2023-1916 can lead to an out-of-bounds read in the extractImageSection function, resulting in a denial of service and limited information disclosure.
CVE-2023-1916 affects libtiff versions 4.0.9-5ubuntu0.10+ (bionic), 4.1.0+ (focal), 4.3.0-6ubuntu0.6 (jammy), 4.5.0-5ubuntu1.2 (lunar), 4.0.3-7ubuntu0.11+ (trusty), and 4.0.6-1ubuntu0.8+ (xenial).
To fix CVE-2023-1916, update the libtiff package to the recommended versions provided by the respective sources (Ubuntu or Debian).
You can find more information about CVE-2023-1916 at the following references: [MITRE CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1916), [Ubuntu Security Notice](https://ubuntu.com/security/notices/USN-6428-1), and [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-1916).