Amazon Linux 2022 Security Advisory: ALAS-2022-183
Advisory Release Date: 2022-11-01 21:24 Pacific
Advisory Updated Date: 2022-11-03 20:59 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
Out-of-bounds Read error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 46dc8fcd. (CVE-2022-1056)
A heap buffer overflow flaw was found in Libtiffs' tiffinfo.c in TIFFReadRawDataStriped() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffinfo tool, triggering a heap buffer overflow issue and causing a crash that leads to a denial of service. (CVE-2022-1354)
A stack buffer overflow flaw was found in Libtiffs' tiffcp.c in main() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffcp tool, triggering a stack buffer overflow issue, possibly corrupting the memory, and causing a crash that leads to a denial of service. (CVE-2022-1355)
An out-of-bounds read vulnerability was found in Libtiff's LZWDecode() function in libtiff/tif_lzw.c. This flaw allows an attacker to perform a denial-of-service attack via a crafted tiff file, leading to the application crashing. (CVE-2022-1622)
An out-of-bounds read vulnerability was found in Libtiff's LZWDecode() function in libtiff/tif_lzw.c. This flaw allows an attacker to perform a denial-of-service attack via a crafted tiff file, leading to the application crashing. (CVE-2022-1623)
A flaw was found in libtiff's tiffcrop tool that has a uint32_t underflow, which leads to an out-of-bounds read and write in the extractContigSamples8bits routine. This flaw allows an attacker who supplies a crafted file to tiffcrop to trick a user into opening the crafted file with tiffcrop, causing a crash or potential further exploitations. (CVE-2022-2869)
Affected Packages:
libtiff
Issue Correction:
Run dnf update libtiff --releasever=2022.0.20221102 to update your system.
aarch64:
libtiff-debugsource-4.4.0-1.amzn2022.0.1.aarch64
libtiff-static-4.4.0-1.amzn2022.0.1.aarch64
libtiff-debuginfo-4.4.0-1.amzn2022.0.1.aarch64
libtiff-tools-4.4.0-1.amzn2022.0.1.aarch64
libtiff-4.4.0-1.amzn2022.0.1.aarch64
libtiff-tools-debuginfo-4.4.0-1.amzn2022.0.1.aarch64
libtiff-devel-4.4.0-1.amzn2022.0.1.aarch64
src:
libtiff-4.4.0-1.amzn2022.0.1.src
x86_64:
libtiff-static-4.4.0-1.amzn2022.0.1.x86_64
libtiff-debugsource-4.4.0-1.amzn2022.0.1.x86_64
libtiff-debuginfo-4.4.0-1.amzn2022.0.1.x86_64
libtiff-tools-debuginfo-4.4.0-1.amzn2022.0.1.x86_64
libtiff-4.4.0-1.amzn2022.0.1.x86_64
libtiff-tools-4.4.0-1.amzn2022.0.1.x86_64
libtiff-devel-4.4.0-1.amzn2022.0.1.x86_64