CVE-2023-1916
published 2023-04-10CVE-2023-1916: A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the…
PriorityP421medium6.1CVSS 3.1
AVLACLPRNUIRSUCLINAH
EPSS
0.39%
30.7th percentile
A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos_monterey | — | — |
| apple | macos_ventura | — | — |
| debian | tiff | < tiff 4.7.0-1 (forky) | tiff 4.7.0-1 (forky) |
| libtiff | libtiff | — | — |
| libtiff | libtiff | 4.0 – 4.5.0 | — |
| msrc | cbl2_libtiff_4.5.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_libtiff_4.5.1-1_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
osv6.1MEDIUM
vendor_debian6.1LOW
vendor_msrc6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
LibTIFF vulnerability
vendor_ubuntu·2023-10-11
CVE-2023-1916 LibTIFF vulnerability
Title: LibTIFF vulnerability
Summary: LibTIFF could be made to crash if it opened a specially crafted file.
It was discovered that LibTIFF could be made to read out of bounds when
processing certain malformed image files with the tiffcrop utility. If a
user were tricked into opening a specially crafted image file, an attacker
could possibly use this issue to cause tiffcrop to crash, resulting in a
denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Apple
CVE-2023-1916: macOS Monterey 12.6.8
vendor_apple·2023-07-24·CVSS 6.1
CVE-2023-1916 [MEDIUM] CVE-2023-1916: macOS Monterey 12.6.8
Apple Security Update: About the security content of macOS Monterey 12.6.8
Product: macOS Monterey
Version: 12.6.8
CVE: CVE-2023-1916
Component: CVE-2023-1916
Impact: An app may cause unexpected app termination or arbitrary code execution
Description: A memory corruption issue was addressed with improved validation.
Apple
CVE-2023-1916: macOS Ventura 13.5
vendor_apple·2023-07-24·CVSS 6.1
CVE-2023-1916 [MEDIUM] CVE-2023-1916: macOS Ventura 13.5
Apple Security Update: About the security content of macOS Ventura 13.5
Product: macOS Ventura
Version: 13.5
CVE: CVE-2023-1916
Component: CVE-2023-1916
Apple
CVE-2023-29491: macOS Monterey 12.6.8
vendor_apple·2023-07-24·CVSS 6.1
CVE-2023-29491 [MEDIUM] CVE-2023-29491: macOS Monterey 12.6.8
Apple Security Update: About the security content of macOS Monterey 12.6.8
Product: macOS Monterey
Version: 12.6.8
CVE: CVE-2023-29491
Component: CVE-2023-1916
Impact: An app may cause unexpected app termination or arbitrary code execution
Description: A memory corruption issue was addressed with improved validation.
Microsoft
A flaw was found in tiffcrop a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c resul
vendor_msrc·2023-04-11·CVSS 6.1
CVE-2023-1916 [MEDIUM] CWE-125 A flaw was found in tiffcrop a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c resul
A flaw was found in tiffcrop a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See
Red Hat
libtiff: out-of-bounds read in extractImageSection() in tools/tiffcrop.c
vendor_redhat·2023-03-18·CVSS 6.1
CVE-2023-1916 [MEDIUM] CWE-125 libtiff: out-of-bounds read in extractImageSection() in tools/tiffcrop.c
libtiff: out-of-bounds read in extractImageSection() in tools/tiffcrop.c
A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x.
A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure.
Statement: This flaw has been rated with a low severity because it affects only the tiffcrop utility rather than the libtiff library itself. Additional
Debian
CVE-2023-1916: tiff - A flaw was found in tiffcrop, a program distributed by the libtiff package. A sp...
vendor_debian·2023·CVSS 6.1
CVE-2023-1916 [MEDIUM] CVE-2023-1916: tiff - A flaw was found in tiffcrop, a program distributed by the libtiff package. A sp...
A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 4.7.0-1)
sid: resolved (fixed in 4.7.0-1)
trixie: resolved (fixed in 4.7.0-1)
GHSA
GHSA-mh23-v522-9fqx: A flaw was found in tiffcrop, a program distributed by the libtiff package
ghsa_unreviewed·2023-04-11
CVE-2023-1916 [MEDIUM] CWE-125 GHSA-mh23-v522-9fqx: A flaw was found in tiffcrop, a program distributed by the libtiff package
A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x.
OSV
CVE-2023-1916: A flaw was found in tiffcrop, a program distributed by the libtiff package
osv·2023-04-10·CVSS 6.1
CVE-2023-1916 [MEDIUM] CVE-2023-1916: A flaw was found in tiffcrop, a program distributed by the libtiff package
A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gitlab.com/libtiff/libtiff/-/issues/536%2Chttps://gitlab.com/libtiff/libtiff/-/issues/537https://support.apple.com/kb/HT213844https://gitlab.com/libtiff/libtiff/-/issues/536https://gitlab.com/libtiff/libtiff/-/issues/536%2Chttps://gitlab.com/libtiff/libtiff/-/issues/537https://support.apple.com/kb/HT213844
2023-04-10
Published