ALAS2-2023-1929

Amazon Linux 2 Security Advisory: ALAS-2023-1929
Advisory Release Date: 2023-01-31 19:19 Pacific
Advisory Updated Date: 2023-02-04 18:28 Pacific
Severity: Medium
Issue Overview:

Heap-based buffer overflow in the pstoedit_suffix_table_init function in output-pstoedit.c in AutoTrace 0.31.1 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted bmp image file. (CVE-2016-7392)

A biWidth*biBitCnt integer overflow in input-bmp.c in autotrace 0.31.1 allows attackers to provide an unexpected input value to malloc via a malformed bitmap image. (CVE-2019-19004)

A bitmap double free in main.c in autotrace 0.31.1 allows attackers to cause an unspecified impact via a malformed bitmap image. This may occur after the use-after-free in CVE-2017-9182. (CVE-2019-19005)


Affected Packages:

autotrace


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update autotrace to update your system.

New Packages:
aarch64:
    autotrace-0.31.1-38.amzn2.0.1.aarch64
    autotrace-devel-0.31.1-38.amzn2.0.1.aarch64
    autotrace-debuginfo-0.31.1-38.amzn2.0.1.aarch64

i686:
    autotrace-0.31.1-38.amzn2.0.1.i686
    autotrace-devel-0.31.1-38.amzn2.0.1.i686
    autotrace-debuginfo-0.31.1-38.amzn2.0.1.i686

src:
    autotrace-0.31.1-38.amzn2.0.1.src

x86_64:
    autotrace-0.31.1-38.amzn2.0.1.x86_64
    autotrace-devel-0.31.1-38.amzn2.0.1.x86_64
    autotrace-debuginfo-0.31.1-38.amzn2.0.1.x86_64

Additional References

Red Hat: CVE-2016-7392, CVE-2019-19004, CVE-2019-19005

Mitre: CVE-2016-7392, CVE-2019-19004, CVE-2019-19005