CVE-2023-3618: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in libtiff where a specially crafted tiff file can lead to a segmentation fault due to a buffer overflow in the Fax3Encode function in libtiff/tif_fax3.c, resulting in a denial of service. The vulnerability was assigned CVE-2023-3618 and was discovered in July 2023 affecting libtiff versions prior to 4.5.1 (NVD, Debian Tracker).

The vulnerability is a buffer overflow issue in the Fax3Encode function located in libtiff/tif_fax3.c. It has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating that it requires user interaction and can be exploited remotely without authentication (Red Hat).

When successfully exploited, this vulnerability can lead to a denial of service condition through a segmentation fault caused by the buffer overflow. The impact is primarily on the availability of the system, with no direct impact on confidentiality or integrity (NetApp Advisory).

The vulnerability has been fixed in libtiff version 4.5.1. Users are advised to upgrade to this version or apply appropriate patches provided by their distribution vendors. Multiple vendors have released security updates addressing this vulnerability, including Red Hat, Debian, and Apple (Debian LTS, Apple Security).