ALAS2023-2023-230

2023-08-03: CVE-2023-30086 was added to this advisory.

LibTIFF 4.4.0 has an out-of-bounds read in tiffcp in tools/tiffcp.c:948, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit e8131125. (CVE-2022-4645)

LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3502, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127. (CVE-2023-0800)

LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3609, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127. (CVE-2023-0804)

Buffer Overflow vulnerability found in Libtiff V.4.0.7 allows a local attacker to cause a denial of service via the tiffcp function in tiffcp.c. (CVE-2023-30086)

A vulnerability was found in libtiff library. This security flaw causes a heap buffer overflow issue via TIFFTAG_INKNAMES and TIFFTAG_NUMBEROFINKS values. (CVE-2023-30774)

aarch64:
    libtiff-debuginfo-4.4.0-4.amzn2023.0.5.aarch64
    libtiff-static-4.4.0-4.amzn2023.0.5.aarch64
    libtiff-4.4.0-4.amzn2023.0.5.aarch64
    libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.5.aarch64
    libtiff-tools-4.4.0-4.amzn2023.0.5.aarch64
    libtiff-debugsource-4.4.0-4.amzn2023.0.5.aarch64
    libtiff-devel-4.4.0-4.amzn2023.0.5.aarch64

src:
    libtiff-4.4.0-4.amzn2023.0.5.src

x86_64:
    libtiff-debugsource-4.4.0-4.amzn2023.0.5.x86_64
    libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.5.x86_64
    libtiff-static-4.4.0-4.amzn2023.0.5.x86_64
    libtiff-debuginfo-4.4.0-4.amzn2023.0.5.x86_64
    libtiff-devel-4.4.0-4.amzn2023.0.5.x86_64
    libtiff-4.4.0-4.amzn2023.0.5.x86_64
    libtiff-tools-4.4.0-4.amzn2023.0.5.x86_64