Bugzilla – Bug 1208236
VUL-1: CVE-2023-0804: tiff: out of bounds write when combining regions in composite images
Last modified: 2023-06-22 07:57:08 UTC
CVE-2023-0804 LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3609, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0804 https://www.cve.org/CVERecord?id=CVE-2023-0804 https://gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00 https://gitlab.com/libtiff/libtiff/-/issues/497 https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0804.json
This looks like the same bug as bnc#1208231. Therefore, it should only affect: - SUSE:SLE-12:Update - SUSE:SLE-15:Update - openSUSE:Factory
This is an autogenerated message for OBS integration: This bug (1208236) was mentioned in https://build.opensuse.org/request/show/1067182 Factory / tiff
SUSE-SU-2023:2321-1: An update that solves 10 vulnerabilities can now be installed. Category: security (moderate) Bug References: 1208226, 1208227, 1208228, 1208229, 1208230, 1208231, 1208232, 1208233, 1208234, 1208236 CVE References: CVE-2023-0795, CVE-2023-0796, CVE-2023-0797, CVE-2023-0798, CVE-2023-0799, CVE-2023-0800, CVE-2023-0801, CVE-2023-0802, CVE-2023-0803, CVE-2023-0804 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): tiff-4.0.9-44.68.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): tiff-4.0.9-44.68.1 SUSE Linux Enterprise Server 12 SP5 (src): tiff-4.0.9-44.68.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): tiff-4.0.9-44.68.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2334-1: An update that solves 10 vulnerabilities can now be installed. Category: security (moderate) Bug References: 1208226, 1208227, 1208228, 1208229, 1208230, 1208231, 1208232, 1208233, 1208234, 1208236 CVE References: CVE-2023-0795, CVE-2023-0796, CVE-2023-0797, CVE-2023-0798, CVE-2023-0799, CVE-2023-0800, CVE-2023-0801, CVE-2023-0802, CVE-2023-0803, CVE-2023-0804 Sources used: openSUSE Leap Micro 5.3 (src): tiff-4.0.9-150000.45.28.1 openSUSE Leap 15.4 (src): tiff-4.0.9-150000.45.28.1 openSUSE Leap 15.5 (src): tiff-4.0.9-150000.45.28.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): tiff-4.0.9-150000.45.28.1 SUSE Linux Enterprise Micro 5.3 (src): tiff-4.0.9-150000.45.28.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): tiff-4.0.9-150000.45.28.1 SUSE Linux Enterprise Micro 5.4 (src): tiff-4.0.9-150000.45.28.1 Basesystem Module 15-SP4 (src): tiff-4.0.9-150000.45.28.1 Basesystem Module 15-SP5 (src): tiff-4.0.9-150000.45.28.1 SUSE Package Hub 15 15-SP4 (src): tiff-4.0.9-150000.45.28.1 SUSE Package Hub 15 15-SP5 (src): tiff-4.0.9-150000.45.28.1 SUSE Linux Enterprise Real Time 15 SP3 (src): tiff-4.0.9-150000.45.28.1 SUSE Linux Enterprise Micro 5.2 (src): tiff-4.0.9-150000.45.28.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): tiff-4.0.9-150000.45.28.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done, closing.