Amazon Linux 2022 Security Advisory: ALAS-2022-094
Advisory Release Date: 2022-06-28 23:52 Pacific
Advisory Updated Date: 2022-10-17 23:30 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
A heap buffer overflow flaw was found in Libtiffs' tiffinfo.c in TIFFReadRawDataStriped() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffinfo tool, triggering a heap buffer overflow issue and causing a crash that leads to a denial of service. (CVE-2022-1354)
A stack buffer overflow flaw was found in Libtiffs' tiffcp.c in main() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffcp tool, triggering a stack buffer overflow issue, possibly corrupting the memory, and causing a crash that leads to a denial of service. (CVE-2022-1355)
An out-of-bounds read vulnerability was found in Libtiff's LZWDecode() function in libtiff/tif_lzw.c. This flaw allows an attacker to perform a denial-of-service attack via a crafted tiff file, leading to the application crashing. (CVE-2022-1622)
An out-of-bounds read vulnerability was found in Libtiff's LZWDecode() function in libtiff/tif_lzw.c. This flaw allows an attacker to perform a denial-of-service attack via a crafted tiff file, leading to the application crashing. (CVE-2022-1623)
Affected Packages:
libtiff
Issue Correction:
Run dnf update --releasever=2022.0.20220628 libtiff to update your system.
aarch64:
libtiff-debugsource-4.4.0-1.amzn2022.aarch64
libtiff-tools-4.4.0-1.amzn2022.aarch64
libtiff-static-4.4.0-1.amzn2022.aarch64
libtiff-debuginfo-4.4.0-1.amzn2022.aarch64
libtiff-4.4.0-1.amzn2022.aarch64
libtiff-devel-4.4.0-1.amzn2022.aarch64
libtiff-tools-debuginfo-4.4.0-1.amzn2022.aarch64
src:
libtiff-4.4.0-1.amzn2022.src
x86_64:
libtiff-debugsource-4.4.0-1.amzn2022.x86_64
libtiff-debuginfo-4.4.0-1.amzn2022.x86_64
libtiff-4.4.0-1.amzn2022.x86_64
libtiff-static-4.4.0-1.amzn2022.x86_64
libtiff-tools-4.4.0-1.amzn2022.x86_64
libtiff-devel-4.4.0-1.amzn2022.x86_64
libtiff-tools-debuginfo-4.4.0-1.amzn2022.x86_64