ALAS2023-2023-004

Amazon Linux 2023 Security Advisory: ALAS-2023-004
Advisory Release Date: 2023-02-17 20:42 Pacific
Advisory Updated Date: 2023-02-23 00:01 Pacific

Severity: Medium

References: CVE-2019-19004 CVE-2019-19005
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A biWidth*biBitCnt integer overflow in input-bmp.c in autotrace 0.31.1 allows attackers to provide an unexpected input value to malloc via a malformed bitmap image. (CVE-2019-19004)

A bitmap double free in main.c in autotrace 0.31.1 allows attackers to cause an unspecified impact via a malformed bitmap image. This may occur after the use-after-free in CVE-2017-9182. (CVE-2019-19005)

Affected Packages:

autotrace

Issue Correction:
Run dnf update autotrace --releasever=2023.0.20230222 to update your system.

New Packages:

aarch64:
    autotrace-devel-0.31.1-62.amzn2023.0.2.aarch64
    autotrace-0.31.1-62.amzn2023.0.2.aarch64
    autotrace-debugsource-0.31.1-62.amzn2023.0.2.aarch64
    autotrace-debuginfo-0.31.1-62.amzn2023.0.2.aarch64

src:
    autotrace-0.31.1-62.amzn2023.0.2.src

x86_64:
    autotrace-debuginfo-0.31.1-62.amzn2023.0.2.x86_64
    autotrace-devel-0.31.1-62.amzn2023.0.2.x86_64
    autotrace-0.31.1-62.amzn2023.0.2.x86_64
    autotrace-debugsource-0.31.1-62.amzn2023.0.2.x86_64

Additional References

Red Hat: CVE-2019-19004, CVE-2019-19005

Mitre: CVE-2019-19004, CVE-2019-19005

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

ALAS2023-2023-004

Additional References