CVE-2025-8534: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2025-8534) was discovered in libtiff version 4.6.0, specifically affecting the PS_Lvl2page function in the tools/tiff2ps.c component of tiff2ps. The vulnerability was disclosed on August 4, 2025, and involves a null pointer dereference issue that occurs when specific conditions are met (VulDB).

The vulnerability manifests as a null pointer dereference in the PSLvl2page function when processing TIFF files. This issue specifically occurs under certain conditions: when either DEFERSTRILE_LOAD (defer-strile-load:BOOL=ON) is enabled or when the TIFFOpen command is used with the "rD" option. The vulnerability has been assigned a CVSS v3.1 Base Score of 2.5 (Low) with the vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L (NVD, VulDB).

The vulnerability primarily affects system availability through potential application crashes. When exploited, it can lead to a denial of service condition due to the null pointer dereference, though the impact is limited due to the local attack vector and high attack complexity (VulDB).

A patch (commit 6ba36f159fd396ad11bf6b7874554197736ecc8b) has been released to address this vulnerability. It is recommended to apply this patch to affected systems. The fix involves checking the return value of TIFFGetField() for TIFFTAGSTRIPBYTECOUNTS and TIFFTAGTILEBYTECOUNTS to prevent the null pointer dereference (GitLab).