CVE-2023-6277: Libtiff: out-of-memory in tiffopen via a craft file
Published Nov 24, 2023
·Updated
Accounts. The issue was addressed with improved checks.
Credit
CVE-2023-6277, CVE-2023-52356, Mickey Jin@@patch1t, Yisumi, sqrtpwn, Minghao Lin(Zhejiang University), Jiaxun Zhu(Zhejiang University), Patrick Wardle(DoubleYou), Adam M., CVE-2024-6387, Zhongquan Li@@Guluisacat(Dawn Security Lab of JingDong), Csaba Fitzl@@theevilbit(Kandji), Claudio Bozzato(Cisco Talos), Francesco Benvenuto(Cisco Talos), CVE-2024-23296, Yadhu Krishna M(Cyber Security At Suma Soft Pvt), Narendra Bhati(Cyber Security At Suma Soft Pvt), Manager(Cyber Security At Suma Soft Pvt), Pune (India), Kirin@@Pwnrin, Joshua Jones, an anonymous researcher, Marcio Almeida(Tanto Security), Jiahui Hu (梅零落)(NorthSea), Meng Zhang (鲸落)(NorthSea), Matthew Loewen, Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), D4m0n, Amir Bazine(CrowdStrike Counter Adversary Operations), Karsten König(CrowdStrike Counter Adversary Operations), CVE-2024-2004, CVE-2024-2379, CVE-2024-2398, CVE-2024-2466, Minghao Lin(Baidu Security), (Baidu Security), Ye Zhang@@VAR10CK(Baidu Security), w0wbox, Junsung Lee(Trend Micro Zero Day Initiative), Gandalf4a, CertiK SkyFall Team, CVE-2024-40805, Jacob Braun, Wojciech Regula(SecuRing), Bistrit Dahal, Srijan Poudel, Abhay Kailasia@@abhay_kailasia(Lakshmi Narain College of Technology Bhopal India), ajajfxhj, Huang Xilin(Ant Group Light), Maksymilian Motyl, Johan Carlsson (joaxcar), Seunghyun Lee@@0x10n(KAIST Hacking Lab working with Trend Micro Zero Day Initiative), Gary Kwong, Andreas Jaegersberger, Ro Achterberg, Linwz(DEVCORE), (CrowdStrike Counter Adversary Operations), Mateen Alinaghi, (Dawn Security Lab of JingDong), Mickey Jin@@patch1t(Kandji), Matthew Butler, CVE-2024-4558, IES Red Team(ByteDance), Yeto, Yann Gascuel(Alter Solutions), Wang Yu(Cyberserval), Rodolphe BRUNETTI@@eisw0lf, Pedro Tôrres@@t0rr3sp3dr0, (Kandji), Csaba Fitzl@@theevilbit(Offensive Security), Jiwon Park, Arsenii Kostromin (0x3c3e), Pr(Bar), Pr(Hebrew University), EP, Hanqiu Wang(University of Florida), Zihao Zhan(Texas Tech University), Haoqi Shan(Certik), Siqi Dai(University of Florida), Max Panoff(University of Florida), (University of Florida), Shuo Wang(University of Florida), Meysam Firouzi@@R00tkitSMM, Minghao Lin
Affected Software
22 affected componentsFixes available
debian/tiff<=4.2.0-1+deb11u5, <=4.5.0-6+deb12u1
4.5.1+git230720-5
IBM Cognos Analytics<=12.0.0-12.0.3
IBM Cognos Analytics<=11.2.0-11.2.4 FP4
Apple macOS Sonoma<14.6
14.6
Apple tvOS<17.6
17.6
Apple WatchOS<10.6
10.6
Apple visionOS<1.3
1.3
Apple macOS Monterey<12.7.6
12.7.6
Apple macOS Ventura<13.6.8
13.6.8
Apple iOS<17.6
17.6
Apple iPadOS<17.6
17.6
All of the following
Any of the following
redhat Enterprise Linux=6.0
redhat Enterprise Linux=7.0
redhat Enterprise Linux=8.0
redhat Enterprise Linux=9.0
LibTIFF libtiff
Fedoraproject Fedora=38
Apple iOS<16.7.9
16.7.9
Apple iPadOS<16.7.9
16.7.9
Microsoft azl3 libtiff 4.6.0-3
Microsoft cbl2 libtiff 4.6.0-3
Microsoft azl3 libtiff 4.6.0-6
Remediation
Patch Available
Patch Available
Patch Available
Event History
Nov 24, 2023
Data Sourced
via Red Hat·08:25 AM
DescriptionSeverityAffected Software
CVE Published
via MITRE·06:20 PM
Data Sourced
via MITRE·06:20 PM
DescriptionSeverityWeakness
Feb 19, 2024
Data Sourced
via Launchpad·08:53 PM
Description
Jul 29, 2024
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionWeakness
Updated
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
Affected Software
Aug 18, 2024
Data Sourced
via Microsoft·07:00 AM
DescriptionSeverityWeakness
Data Sourced
via Microsoft·07:00 AM
Affected Software
Updated
via Microsoft·07:00 AM
DescriptionSeverity
Sep 14, 2024
Data Sourced
via Ubuntu·09:25 PM
RemedyDescriptionSeverityAffected Software
Frequently Asked Questions
1
What is CVE-2023-6277?
CVE-2023-6277 is a vulnerability in the libtiff library that allows a remote attacker to cause a denial of service by exploiting an out-of-memory flaw in the TIFFOpen() API.
2
What is the severity of CVE-2023-6277?
The severity of CVE-2023-6277 is high with a CVSS score of 7.5.
3
How does CVE-2023-6277 impact libtiff?
CVE-2023-6277 impacts libtiff by allowing a remote attacker to cause a denial of service by exploiting an out-of-memory flaw in the TIFFOpen() API.
4
How can I fix CVE-2023-6277?
To fix CVE-2023-6277, you should update to the latest version of libtiff where the vulnerability has been patched.
5
Where can I find more information about CVE-2023-6277?
You can find more information about CVE-2023-6277 at the following references: [Red Hat CVE Page](https://access.redhat.com/security/cve/CVE-2023-6277), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=2251311), and [libtiff GitLab Issues](https://gitlab.com/libtiff/libtiff/-/issues/614).