CVE-2023-0801: 
NixOS vulnerability analysis and mitigation

CVE-2023-0801 is a vulnerability discovered in the libtiff package, specifically affecting the tiffcrop program. The vulnerability was disclosed in February 2023 and affects libtiff versions through 4.4.0. It involves an out-of-bounds write vulnerability in TIFFmemcpy() function in libtiff/tifunix.c when called by functions in tools/tiffcrop.c (Red Hat Advisory, Debian Advisory).

The vulnerability is caused by an out-of-bounds write in the TIFFmemcpy() function located in libtiff/tifunix.c, specifically when this function is called by routines in tools/tiffcrop.c. The issue occurs when processing certain malformed TIFF image files with the tiffcrop tool. The vulnerability has been assigned a CVSS score of 5.5 (MEDIUM) with the vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NetApp Advisory).

When successfully exploited, this vulnerability could lead to a denial of service (DoS) condition. If a user is tricked into opening a specially crafted TIFF file, an attacker could potentially cause the tiffcrop tool to crash or possibly execute arbitrary code (Broadcom Advisory).

The vulnerability has been fixed in various distribution releases. For Red Hat Enterprise Linux 8, the fix is included in libtiff version 4.0.9-29.el8_8. For Debian 10 (buster), the fix is available in version 4.1.0+git191117-2~deb10u7. Users are recommended to upgrade their libtiff packages to the patched versions. All running applications linked against libtiff must be restarted for the update to take effect (Red Hat Advisory).