CVE-2023-6277: 
Alma Linux vulnerability analysis and mitigation

An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB. The vulnerability was discovered in November 2023 and affects the libtiff library (CVE Details, Mitre CVE).

The vulnerability exists in the TIFFOpen() API function of libtiff. When processing a maliciously crafted TIFF file smaller than 379 KB in size, the function can trigger an out-of-memory condition. This occurs during the allocation of memory for strip arrays in the ChopUpSingleUncompressedStrip function (Libtiff Issue).

When successfully exploited, this vulnerability can lead to denial-of-service conditions by causing the application to run out of memory when processing specially crafted TIFF files. This affects applications that use the libtiff library for image processing (NVD).

The vulnerability has been fixed in libtiff through a series of patches that improve memory allocation checks and validation. The fix includes comparing data size with file size to prevent provoked out-of-memory attacks (Libtiff MR).

Multiple vendors have acknowledged and addressed this vulnerability in their products, including Apple who has incorporated fixes in various OS updates including iOS, macOS, and watchOS (Apple Security). NetApp has also investigated and documented the impact on their products (NetApp Advisory).