CVE-2023-6228: 
Rocky Linux vulnerability analysis and mitigation

CVE-2023-6228 is a security vulnerability discovered in the tiffcp utility distributed with the libtiff package. The vulnerability was disclosed on December 18, 2023, and affects the processing of TIFF files. When processing a crafted TIFF file, the vulnerability can cause a heap-based buffer overflow in the cpStripToTile() function located in tools/tiffcp.c (NVD, Red Hat).

The vulnerability is classified as a heap-based buffer overflow vulnerability (CWE-787) that occurs in the cpStripToTile() function within the tools/tiffcp.c file. The CVSS v3.1 base score is 3.3 (Low) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L, indicating local access is required and user interaction is needed (NVD).

The primary impact of this vulnerability is an application crash due to the heap-based buffer overflow when processing specially crafted TIFF files. The vulnerability has been assessed to have no impact on confidentiality or integrity, with only low impact on availability (Ubuntu).

The vulnerability has been fixed in various distributions through security updates. Red Hat has released fixes through RHSA-2024:2289 for RHEL 9 and RHSA-2024:5079 for RHEL 8. Ubuntu has also provided fixes for multiple versions including 24.10, 24.04 LTS, and 22.04 LTS (Red Hat, Ubuntu).