ALAS-2022-1872

2023-10-25: CVE-2022-2869 was added to this advisory.

2023-10-12: CVE-2022-2868 was added to this advisory.

A flaw was found in libtiffs tiffcrop utility that has a uint32_t underflow that can lead to an out-of-bounds read and write. This flaw allows an attacker who supplies a crafted file to tiffcrop to cause a crash or, in some cases, further exploitation. (CVE-2022-2867)

libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop. (CVE-2022-2868)

A flaw was found in libtiff's tiffcrop tool that has a uint32_t underflow, which leads to an out-of-bounds read and write in the extractContigSamples8bits routine. This flaw allows an attacker who supplies a crafted file to tiffcrop to trick a user into opening the crafted file with tiffcrop, causing a crash or potential further exploitations. (CVE-2022-2869)

aarch64:
    libtiff-4.0.3-35.amzn2.0.3.aarch64
    libtiff-devel-4.0.3-35.amzn2.0.3.aarch64
    libtiff-static-4.0.3-35.amzn2.0.3.aarch64
    libtiff-tools-4.0.3-35.amzn2.0.3.aarch64
    libtiff-debuginfo-4.0.3-35.amzn2.0.3.aarch64

i686:
    libtiff-4.0.3-35.amzn2.0.3.i686
    libtiff-devel-4.0.3-35.amzn2.0.3.i686
    libtiff-static-4.0.3-35.amzn2.0.3.i686
    libtiff-tools-4.0.3-35.amzn2.0.3.i686
    libtiff-debuginfo-4.0.3-35.amzn2.0.3.i686

src:
    libtiff-4.0.3-35.amzn2.0.3.src

x86_64:
    libtiff-4.0.3-35.amzn2.0.3.x86_64
    libtiff-devel-4.0.3-35.amzn2.0.3.x86_64
    libtiff-static-4.0.3-35.amzn2.0.3.x86_64
    libtiff-tools-4.0.3-35.amzn2.0.3.x86_64
    libtiff-debuginfo-4.0.3-35.amzn2.0.3.x86_64