CVE-2023-3316

Name
CVE-2023-3316
Description
A NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path or a path that requires permissions like /dev/null) while specifying zones.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://research.jfrog.com/vulnerabilities/libtiff-nullderef-dos-xray-522144/
Patch https://gitlab.com/libtiff/libtiff/-/merge_requests/468
Exploit https://gitlab.com/libtiff/libtiff/-/issues/515
MISC https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:libtiff:libtiff:3.9.0:*:*:*:*:*:*:* libtiff == None == 3.9.0
cpe:2.3:a:libtiff:libtiff:4.5.1:*:*:*:*:*:*:* libtiff == None == 4.5.1
cpe:2.3:a:libtiff:libtiff:*:*:*:*:*:*:*:* libtiff >= 3.9.0 < 4.5.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
tiff 3.17-main 4.4.0-r4 Michael Mason <ms13sp@gmail.com> fixed
tiff 3.16-main 4.4.0-r4 Michael Mason <ms13sp@gmail.com> fixed
tiff 3.15-main 4.4.0-r4 Michael Mason <ms13sp@gmail.com> fixed