CVE-2023-3164: 
NixOS vulnerability analysis and mitigation

A heap-buffer-overflow vulnerability was discovered in LibTIFF's extractImageSection() function, specifically at tools/tiffcrop.c:7916 and tools/tiffcrop.c:7801. The vulnerability was assigned CVE-2023-3164 and was publicly disclosed in November 2023. This security flaw affects the tiffcrop command-line tool in various versions of LibTIFF up to version 4.6.0 (NVD, Ubuntu).

The vulnerability is a heap-buffer-overflow that occurs in the extractImageSection() function within the tiffcrop utility. The issue manifests when processing crafted TIFF files with specific parameters. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating local access is required and user interaction is needed (NVD).

When exploited, this vulnerability allows attackers to cause a denial of service condition through a specially crafted TIFF file. The impact is primarily limited to the availability of the system, with no direct impact on confidentiality or integrity (NVD, Debian).

The vulnerability has been fixed in LibTIFF version 4.6.0. Various Linux distributions have released security updates to address this issue. Users are advised to update to the latest version of LibTIFF or apply the security patches provided by their distribution vendors (Ubuntu, Red Hat).