ALAS-2022-194

References: CVE-2022-0561  CVE-2022-0562  CVE-2022-0865  CVE-2022-0891  CVE-2022-0907  CVE-2022-0908  CVE-2022-0909  CVE-2022-0924  CVE-2022-1056  CVE-2022-1354  CVE-2022-1355  CVE-2022-1622  CVE-2022-1623  CVE-2022-2056  CVE-2022-2057  CVE-2022-2058  CVE-2022-22844  CVE-2022-2869  CVE-2022-34526 
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A divide-by-zero vulnerability was found in libtiff. This flaw allows an attacker to cause a denial of service via a crafted tiff file. (CVE-2022-2056)

A divide-by-zero vulnerability was found in libtiff. This flaw allows an attacker to cause a denial of service via a crafted tiff file. (CVE-2022-2057)

A divide-by-zero vulnerability was found in libtiff. This flaw allows an attacker to cause a denial of service via a crafted tiff file. (CVE-2022-2058)

A stack overflow flaw was found in the _TIFFVGetField function of Tiffsplit. This vulnerability allows attackers to cause a denial of service (DoS) via a crafted TIFF file. (CVE-2022-34526)

Issue Correction:
Run dnf update libtiff --releasever=2022.0.20221102 to update your system.

New Packages:

aarch64:
    libtiff-debugsource-4.4.0-4.amzn2022.0.1.aarch64
    libtiff-static-4.4.0-4.amzn2022.0.1.aarch64
    libtiff-debuginfo-4.4.0-4.amzn2022.0.1.aarch64
    libtiff-4.4.0-4.amzn2022.0.1.aarch64
    libtiff-devel-4.4.0-4.amzn2022.0.1.aarch64
    libtiff-tools-debuginfo-4.4.0-4.amzn2022.0.1.aarch64
    libtiff-tools-4.4.0-4.amzn2022.0.1.aarch64

src:
    libtiff-4.4.0-4.amzn2022.0.1.src

x86_64:
    libtiff-debugsource-4.4.0-4.amzn2022.0.1.x86_64
    libtiff-static-4.4.0-4.amzn2022.0.1.x86_64
    libtiff-debuginfo-4.4.0-4.amzn2022.0.1.x86_64
    libtiff-4.4.0-4.amzn2022.0.1.x86_64
    libtiff-tools-debuginfo-4.4.0-4.amzn2022.0.1.x86_64
    libtiff-tools-4.4.0-4.amzn2022.0.1.x86_64
    libtiff-devel-4.4.0-4.amzn2022.0.1.x86_64