Amazon Linux 2023 Security Advisory: ALAS-2023-067
Advisory Release Date: 2023-02-17 20:46 Pacific
Advisory Updated Date: 2023-02-22 23:32 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
There is a double free or corruption in rotateImage() at tiffcrop.c:8839 found in libtiff 4.4.0rc1. (CVE-2022-2519)
A flaw was found in libtiff 4.4.0rc1. There is a sysmalloc assertion fail in rotateImage() at tiffcrop.c:8621 that can cause program crash when reading a crafted input. (CVE-2022-2520)
It was found in libtiff 4.4.0rc1 that there is an invalid pointer free operation in TIFFClose() at tif_close.c:131 called by tiffcrop.c:2522 that can cause a program crash and denial of service while processing crafted input. (CVE-2022-2521)
libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop. (CVE-2022-2868)
LibTIFF 4.4.0 has an out-of-bounds read in extractImageSection in tools/tiffcrop.c:6905, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 48d6ece8. (CVE-2022-2953)
Affected Packages:
libtiff
Issue Correction:
Run dnf update libtiff --releasever=2023.0.20230222 to update your system.
aarch64:
libtiff-tools-4.4.0-4.amzn2023.0.4.aarch64
libtiff-debuginfo-4.4.0-4.amzn2023.0.4.aarch64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.4.aarch64
libtiff-static-4.4.0-4.amzn2023.0.4.aarch64
libtiff-debugsource-4.4.0-4.amzn2023.0.4.aarch64
libtiff-4.4.0-4.amzn2023.0.4.aarch64
libtiff-devel-4.4.0-4.amzn2023.0.4.aarch64
src:
libtiff-4.4.0-4.amzn2023.0.4.src
x86_64:
libtiff-debugsource-4.4.0-4.amzn2023.0.4.x86_64
libtiff-static-4.4.0-4.amzn2023.0.4.x86_64
libtiff-4.4.0-4.amzn2023.0.4.x86_64
libtiff-debuginfo-4.4.0-4.amzn2023.0.4.x86_64
libtiff-tools-4.4.0-4.amzn2023.0.4.x86_64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.4.x86_64
libtiff-devel-4.4.0-4.amzn2023.0.4.x86_64