CVE-2023-52355: 
NixOS vulnerability analysis and mitigation

CVE-2023-52355 is an out-of-memory vulnerability discovered in libtiff that affects the TIFFRasterScanlineSize64() API. The vulnerability was disclosed on January 25, 2024, and affects libtiff versions up to (excluding) 4.6.0. The flaw can be triggered by passing a crafted TIFF file to the affected API function (NVD, Red Hat CVE).

The vulnerability is classified as an out-of-bounds write (CWE-787) with a CVSS v3.1 base score of 7.5 (High). The issue occurs when TIFFRasterScanlineSize64() calculates size based on user-controllable fields td->td_bitspersample and td->td_imagewidth, without proper size validation. The vulnerability can be triggered with a crafted input file smaller than 379 KB (NVD, Libtiff Issue).

When successfully exploited, this vulnerability allows remote attackers to cause a denial of service condition through memory exhaustion. The attack can be executed remotely without requiring any privileges or user interaction (NVD).

The issue has been addressed in libtiff version 4.6.0 and later. The fix primarily involves documentation updates to ensure applications properly limit memory usage. For affected versions, system administrators should ensure proper resource limitations are in place to prevent memory exhaustion attacks (Debian Tracker).