CVE-2023-0797: 
NixOS vulnerability analysis and mitigation

CVE-2023-0797 is a vulnerability discovered in LibTIFF 4.4.0, specifically affecting the tiffcrop utility. The vulnerability was disclosed in February 2023 and impacts the libtiff package, which provides support for the Tag Image File Format (TIFF). The flaw exists in the tiffcrop component, specifically in libtiff/tifunix.c:368, which is invoked by tools/tiffcrop.c:2903 and tools/tiffcrop.c:6921 ([Rapid7](https://www.rapid7.com/db/vulnerabilities/huawei-euleros-20_sp5-cve-2023-0797/)).

The vulnerability is characterized by an out-of-bounds read in the tiffcrop utility. The issue occurs when processing certain malformed TIFF image files, specifically in the TIFFmemcpy function located in tifunix.c:368. The vulnerability has been assigned a CVSS base score of 5.5, indicating a medium severity level with local attack vector and medium attack complexity (Oracle Linux).

When exploited, this vulnerability can lead to a denial-of-service condition. If a user is tricked into opening a specially crafted TIFF file, an attacker could cause the tiffcrop utility to crash (Broadcom Support).

The vulnerability has been fixed in various Linux distributions through security updates. For users compiling LibTIFF from sources, the fix is available with commit afaabc3e. Debian users can upgrade to version 4.1.0+git191117-2~deb10u7, while Ubuntu users should update to the appropriate package versions through their system's package manager (Debian Security).