Amazon Linux AMI update for libtiff
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 20 |
| CVE-ID | CVE-2022-0561 CVE-2022-0562 CVE-2022-0865 CVE-2022-0891 CVE-2022-0907 CVE-2022-0908 CVE-2022-0909 CVE-2022-0924 CVE-2022-1056 CVE-2022-1354 CVE-2022-1355 CVE-2022-1622 CVE-2022-1623 CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 CVE-2022-22844 CVE-2022-2869 CVE-2022-34526 CVE-2022-3970 |
| CWE-ID | CWE-476 CWE-617 CWE-787 CWE-369 CWE-125 CWE-122 CWE-119 CWE-191 CWE-121 CWE-190 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Amazon Linux AMI Operating systems & Components / Operating system libtiff Operating systems & Components / Operating system package or component |
| Vendor | Amazon Web Services |
Security Bulletin
This security bulletin contains information about 20 vulnerabilities.
1) NULL pointer dereference
EUVDB-ID: #VU63326
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-0561
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in the memcpy() function within TIFFFetchStripThing() in tif_dirread.c. A remote attacker can trick victim to open specially crafted TIFF file and perform a denial of service (DoS) attack.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
libtiff-tools-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debugsource-4.4.0-4.amzn2023.0.3.aarch64
libtiff-static-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-4.4.0-4.amzn2023.0.3.aarch64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-devel-4.4.0-4.amzn2023.0.3.aarch64
src:
libtiff-4.4.0-4.amzn2023.0.3.src
x86_64:
libtiff-debugsource-4.4.0-4.amzn2023.0.3.x86_64
libtiff-4.4.0-4.amzn2023.0.3.x86_64
libtiff-static-4.4.0-4.amzn2023.0.3.x86_64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-devel-4.4.0-4.amzn2023.0.3.x86_64
Amazon Linux AMI: All versions
libtiff: before 4.4.0-4
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2023-050.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) NULL pointer dereference
EUVDB-ID: #VU63328
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-0562
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in the memcpy() function within TIFFReadDirectory() in tif_dirread.c. A remote attacker can trick victim to open specially crafted TIFF file and perform a denial of service (DoS) attack.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
libtiff-tools-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debugsource-4.4.0-4.amzn2023.0.3.aarch64
libtiff-static-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-4.4.0-4.amzn2023.0.3.aarch64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-devel-4.4.0-4.amzn2023.0.3.aarch64
src:
libtiff-4.4.0-4.amzn2023.0.3.src
x86_64:
libtiff-debugsource-4.4.0-4.amzn2023.0.3.x86_64
libtiff-4.4.0-4.amzn2023.0.3.x86_64
libtiff-static-4.4.0-4.amzn2023.0.3.x86_64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-devel-4.4.0-4.amzn2023.0.3.x86_64
Amazon Linux AMI: All versions
libtiff: before 4.4.0-4
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2023-050.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Reachable Assertion
EUVDB-ID: #VU63332
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-0865
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion in the tiffcp component. A remote attacker can trick a victim to open a specially crafted TIFF file and perform a denial of service attack.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
libtiff-tools-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debugsource-4.4.0-4.amzn2023.0.3.aarch64
libtiff-static-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-4.4.0-4.amzn2023.0.3.aarch64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-devel-4.4.0-4.amzn2023.0.3.aarch64
src:
libtiff-4.4.0-4.amzn2023.0.3.src
x86_64:
libtiff-debugsource-4.4.0-4.amzn2023.0.3.x86_64
libtiff-4.4.0-4.amzn2023.0.3.x86_64
libtiff-static-4.4.0-4.amzn2023.0.3.x86_64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-devel-4.4.0-4.amzn2023.0.3.x86_64
Amazon Linux AMI: All versions
libtiff: before 4.4.0-4
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2023-050.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Out-of-bounds write
EUVDB-ID: #VU63329
Risk: Medium
CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-0891
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing TIFF file in ExtractImageSection() function in tiffcrop.c. A remote attacker can create a specially crafted TIFF file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
libtiff-tools-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debugsource-4.4.0-4.amzn2023.0.3.aarch64
libtiff-static-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-4.4.0-4.amzn2023.0.3.aarch64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-devel-4.4.0-4.amzn2023.0.3.aarch64
src:
libtiff-4.4.0-4.amzn2023.0.3.src
x86_64:
libtiff-debugsource-4.4.0-4.amzn2023.0.3.x86_64
libtiff-4.4.0-4.amzn2023.0.3.x86_64
libtiff-static-4.4.0-4.amzn2023.0.3.x86_64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-devel-4.4.0-4.amzn2023.0.3.x86_64
Amazon Linux AMI: All versions
libtiff: before 4.4.0-4
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2023-050.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) NULL pointer dereference
EUVDB-ID: #VU63794
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-0907
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in tiffcrop in libtiff. A remote attacker can trigger denial of service conditions via a crafted tiff file.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
libtiff-tools-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debugsource-4.4.0-4.amzn2023.0.3.aarch64
libtiff-static-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-4.4.0-4.amzn2023.0.3.aarch64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-devel-4.4.0-4.amzn2023.0.3.aarch64
src:
libtiff-4.4.0-4.amzn2023.0.3.src
x86_64:
libtiff-debugsource-4.4.0-4.amzn2023.0.3.x86_64
libtiff-4.4.0-4.amzn2023.0.3.x86_64
libtiff-static-4.4.0-4.amzn2023.0.3.x86_64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-devel-4.4.0-4.amzn2023.0.3.x86_64
Amazon Linux AMI: All versions
libtiff: before 4.4.0-4
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2023-050.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) NULL pointer dereference
EUVDB-ID: #VU63374
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-0908
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in the memcpy() function within TIFFFetchNormalTag () in tif_dirread.c. A remote attacker can pass specially crafted TIFF file to the application and perform a denial of service (DoS) attack.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
libtiff-tools-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debugsource-4.4.0-4.amzn2023.0.3.aarch64
libtiff-static-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-4.4.0-4.amzn2023.0.3.aarch64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-devel-4.4.0-4.amzn2023.0.3.aarch64
src:
libtiff-4.4.0-4.amzn2023.0.3.src
x86_64:
libtiff-debugsource-4.4.0-4.amzn2023.0.3.x86_64
libtiff-4.4.0-4.amzn2023.0.3.x86_64
libtiff-static-4.4.0-4.amzn2023.0.3.x86_64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-devel-4.4.0-4.amzn2023.0.3.x86_64
Amazon Linux AMI: All versions
libtiff: before 4.4.0-4
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2023-050.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Division by zero
EUVDB-ID: #VU63376
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-0909
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a division by zero error in the tiffcrop component. A remote attacker can pass a specially crafted TIFF file to the application and crash it.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
libtiff-tools-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debugsource-4.4.0-4.amzn2023.0.3.aarch64
libtiff-static-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-4.4.0-4.amzn2023.0.3.aarch64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-devel-4.4.0-4.amzn2023.0.3.aarch64
src:
libtiff-4.4.0-4.amzn2023.0.3.src
x86_64:
libtiff-debugsource-4.4.0-4.amzn2023.0.3.x86_64
libtiff-4.4.0-4.amzn2023.0.3.x86_64
libtiff-static-4.4.0-4.amzn2023.0.3.x86_64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-devel-4.4.0-4.amzn2023.0.3.x86_64
Amazon Linux AMI: All versions
libtiff: before 4.4.0-4
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2023-050.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Out-of-bounds read
EUVDB-ID: #VU63378
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-0924
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial-of-service attack.
The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted TIFF file, trick the victim into opening it, trigger out-of-bounds read error and perform a denial-of-service attack.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
libtiff-tools-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debugsource-4.4.0-4.amzn2023.0.3.aarch64
libtiff-static-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-4.4.0-4.amzn2023.0.3.aarch64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-devel-4.4.0-4.amzn2023.0.3.aarch64
src:
libtiff-4.4.0-4.amzn2023.0.3.src
x86_64:
libtiff-debugsource-4.4.0-4.amzn2023.0.3.x86_64
libtiff-4.4.0-4.amzn2023.0.3.x86_64
libtiff-static-4.4.0-4.amzn2023.0.3.x86_64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-devel-4.4.0-4.amzn2023.0.3.x86_64
Amazon Linux AMI: All versions
libtiff: before 4.4.0-4
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2023-050.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Out-of-bounds read
EUVDB-ID: #VU63379
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-1056
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial-of-service attack.
The vulnerability exists due to a boundary condition in the tiffcrop component. A remote attacker can create a specially crafted TIFF file, trick the victim into opening it, trigger out-of-bounds read error and perform a denial-of-service attack.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
libtiff-tools-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debugsource-4.4.0-4.amzn2023.0.3.aarch64
libtiff-static-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-4.4.0-4.amzn2023.0.3.aarch64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-devel-4.4.0-4.amzn2023.0.3.aarch64
src:
libtiff-4.4.0-4.amzn2023.0.3.src
x86_64:
libtiff-debugsource-4.4.0-4.amzn2023.0.3.x86_64
libtiff-4.4.0-4.amzn2023.0.3.x86_64
libtiff-static-4.4.0-4.amzn2023.0.3.x86_64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-devel-4.4.0-4.amzn2023.0.3.x86_64
Amazon Linux AMI: All versions
libtiff: before 4.4.0-4
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2023-050.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Heap-based buffer overflow
EUVDB-ID: #VU67498
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-1354
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the TIFFReadRawDataStriped() function in tiffinfo.c. A remote attacker can pass specially crafted TIFF file to the application that is using the affected library, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
libtiff-tools-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debugsource-4.4.0-4.amzn2023.0.3.aarch64
libtiff-static-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-4.4.0-4.amzn2023.0.3.aarch64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-devel-4.4.0-4.amzn2023.0.3.aarch64
src:
libtiff-4.4.0-4.amzn2023.0.3.src
x86_64:
libtiff-debugsource-4.4.0-4.amzn2023.0.3.x86_64
libtiff-4.4.0-4.amzn2023.0.3.x86_64
libtiff-static-4.4.0-4.amzn2023.0.3.x86_64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-devel-4.4.0-4.amzn2023.0.3.x86_64
Amazon Linux AMI: All versions
libtiff: before 4.4.0-4
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2023-050.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Buffer overflow
EUVDB-ID: #VU67497
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-1355
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within tiffcp.c when processing TIFF files. A remote attacker can pass specially crafted TIFF file to the application that is using the affected library, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
libtiff-tools-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debugsource-4.4.0-4.amzn2023.0.3.aarch64
libtiff-static-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-4.4.0-4.amzn2023.0.3.aarch64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-devel-4.4.0-4.amzn2023.0.3.aarch64
src:
libtiff-4.4.0-4.amzn2023.0.3.src
x86_64:
libtiff-debugsource-4.4.0-4.amzn2023.0.3.x86_64
libtiff-4.4.0-4.amzn2023.0.3.x86_64
libtiff-static-4.4.0-4.amzn2023.0.3.x86_64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-devel-4.4.0-4.amzn2023.0.3.x86_64
Amazon Linux AMI: All versions
libtiff: before 4.4.0-4
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2023-050.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Out-of-bounds read
EUVDB-ID: #VU63826
Risk: Medium
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-1622
CWE-ID: N/A
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary condition in LZWDecode() function in libtiff/tif_lzw.c:619. A remote attacker can create a specially crafted TIFF file, trick the victim into opening it, trigger out-of-bounds read error and to perform a denial of service attack.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
libtiff-tools-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debugsource-4.4.0-4.amzn2023.0.3.aarch64
libtiff-static-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-4.4.0-4.amzn2023.0.3.aarch64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-devel-4.4.0-4.amzn2023.0.3.aarch64
src:
libtiff-4.4.0-4.amzn2023.0.3.src
x86_64:
libtiff-debugsource-4.4.0-4.amzn2023.0.3.x86_64
libtiff-4.4.0-4.amzn2023.0.3.x86_64
libtiff-static-4.4.0-4.amzn2023.0.3.x86_64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-devel-4.4.0-4.amzn2023.0.3.x86_64
Amazon Linux AMI: All versions
libtiff: before 4.4.0-4
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2023-050.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Out-of-bounds read
EUVDB-ID: #VU63824
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-1623
CWE-ID: N/A
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary condition in LZWDecode() function in libtiff/tif_lzw.c:624. A remote attacker can create a specially crafted TIFF file, trick the victim into opening it, trigger out-of-bounds read error and perform a denial of service attack.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
libtiff-tools-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debugsource-4.4.0-4.amzn2023.0.3.aarch64
libtiff-static-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-4.4.0-4.amzn2023.0.3.aarch64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-devel-4.4.0-4.amzn2023.0.3.aarch64
src:
libtiff-4.4.0-4.amzn2023.0.3.src
x86_64:
libtiff-debugsource-4.4.0-4.amzn2023.0.3.x86_64
libtiff-4.4.0-4.amzn2023.0.3.x86_64
libtiff-static-4.4.0-4.amzn2023.0.3.x86_64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-devel-4.4.0-4.amzn2023.0.3.x86_64
Amazon Linux AMI: All versions
libtiff: before 4.4.0-4
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2023-050.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Division by zero
EUVDB-ID: #VU65440
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-2056
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The
vulnerability exists due to a division by zero error when parsing TIFF
files in tiffcrop. A remote attacker can trick the victim to open a specially
crafted file and crash the affected application.
Update the affected packages:
aarch64:Vulnerable software versions
libtiff-tools-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debugsource-4.4.0-4.amzn2023.0.3.aarch64
libtiff-static-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-4.4.0-4.amzn2023.0.3.aarch64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-devel-4.4.0-4.amzn2023.0.3.aarch64
src:
libtiff-4.4.0-4.amzn2023.0.3.src
x86_64:
libtiff-debugsource-4.4.0-4.amzn2023.0.3.x86_64
libtiff-4.4.0-4.amzn2023.0.3.x86_64
libtiff-static-4.4.0-4.amzn2023.0.3.x86_64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-devel-4.4.0-4.amzn2023.0.3.x86_64
Amazon Linux AMI: All versions
libtiff: before 4.4.0-4
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2023-050.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Division by zero
EUVDB-ID: #VU65441
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-2057
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a division by zero error when parsing TIFF files in tiffcrop. A remote attacker can trick the victim to open a specially crafted file and crash the affected application. MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
libtiff-tools-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debugsource-4.4.0-4.amzn2023.0.3.aarch64
libtiff-static-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-4.4.0-4.amzn2023.0.3.aarch64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-devel-4.4.0-4.amzn2023.0.3.aarch64
src:
libtiff-4.4.0-4.amzn2023.0.3.src
x86_64:
libtiff-debugsource-4.4.0-4.amzn2023.0.3.x86_64
libtiff-4.4.0-4.amzn2023.0.3.x86_64
libtiff-static-4.4.0-4.amzn2023.0.3.x86_64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-devel-4.4.0-4.amzn2023.0.3.x86_64
Amazon Linux AMI: All versions
libtiff: before 4.4.0-4
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2023-050.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Division by zero
EUVDB-ID: #VU65439
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-2058
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a division by zero error when parsing TIFF files in tiffcrop. A remote attacker can trick the victim to open a specially crafted file and crash the affected application.
Update the affected packages:
aarch64:Vulnerable software versions
libtiff-tools-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debugsource-4.4.0-4.amzn2023.0.3.aarch64
libtiff-static-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-4.4.0-4.amzn2023.0.3.aarch64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-devel-4.4.0-4.amzn2023.0.3.aarch64
src:
libtiff-4.4.0-4.amzn2023.0.3.src
x86_64:
libtiff-debugsource-4.4.0-4.amzn2023.0.3.x86_64
libtiff-4.4.0-4.amzn2023.0.3.x86_64
libtiff-static-4.4.0-4.amzn2023.0.3.x86_64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-devel-4.4.0-4.amzn2023.0.3.x86_64
Amazon Linux AMI: All versions
libtiff: before 4.4.0-4
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2023-050.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Out-of-bounds read
EUVDB-ID: #VU63795
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-22844
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary condition in the _TIFFmemcpy() function in tif_unix.c in certain situations involving a custom tag and 0x0200 as the second word of the DE field. A remote attacker can pass a specially crafted file and perform a denial of service attack.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
libtiff-tools-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debugsource-4.4.0-4.amzn2023.0.3.aarch64
libtiff-static-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-4.4.0-4.amzn2023.0.3.aarch64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-devel-4.4.0-4.amzn2023.0.3.aarch64
src:
libtiff-4.4.0-4.amzn2023.0.3.src
x86_64:
libtiff-debugsource-4.4.0-4.amzn2023.0.3.x86_64
libtiff-4.4.0-4.amzn2023.0.3.x86_64
libtiff-static-4.4.0-4.amzn2023.0.3.x86_64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-devel-4.4.0-4.amzn2023.0.3.x86_64
Amazon Linux AMI: All versions
libtiff: before 4.4.0-4
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2023-050.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Integer underflow
EUVDB-ID: #VU67138
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-2869
CWE-ID:
CWE-191 - Integer underflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer underflow within the extractContigSamples8bits routine in the tiffcrop utility. A remote attacker can pass a specially crafted file to the affected application, trigger an integer underflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
libtiff-tools-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debugsource-4.4.0-4.amzn2023.0.3.aarch64
libtiff-static-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-4.4.0-4.amzn2023.0.3.aarch64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-devel-4.4.0-4.amzn2023.0.3.aarch64
src:
libtiff-4.4.0-4.amzn2023.0.3.src
x86_64:
libtiff-debugsource-4.4.0-4.amzn2023.0.3.x86_64
libtiff-4.4.0-4.amzn2023.0.3.x86_64
libtiff-static-4.4.0-4.amzn2023.0.3.x86_64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-devel-4.4.0-4.amzn2023.0.3.x86_64
Amazon Linux AMI: All versions
libtiff: before 4.4.0-4
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2023-050.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Stack-based buffer overflow
EUVDB-ID: #VU69403
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-34526
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error within the _TIFFVGetField() function in Tiffsplit. A remote attacker can pass specially crafted file to the application, trigger a stack-based buffer overflow and perform a denial of service (DoS) attack.
Update the affected packages:
aarch64:Vulnerable software versions
libtiff-tools-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debugsource-4.4.0-4.amzn2023.0.3.aarch64
libtiff-static-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-4.4.0-4.amzn2023.0.3.aarch64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-devel-4.4.0-4.amzn2023.0.3.aarch64
src:
libtiff-4.4.0-4.amzn2023.0.3.src
x86_64:
libtiff-debugsource-4.4.0-4.amzn2023.0.3.x86_64
libtiff-4.4.0-4.amzn2023.0.3.x86_64
libtiff-static-4.4.0-4.amzn2023.0.3.x86_64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-devel-4.4.0-4.amzn2023.0.3.x86_64
Amazon Linux AMI: All versions
libtiff: before 4.4.0-4
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2023-050.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Integer overflow
EUVDB-ID: #VU69585
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-3970
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow within the TIFFReadRGBATileExt() function in libtiff/tif_getimage.c. A remote attacker can trick the victim to open a specially crafted TIFF file, trigger an integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
libtiff-tools-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debugsource-4.4.0-4.amzn2023.0.3.aarch64
libtiff-static-4.4.0-4.amzn2023.0.3.aarch64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-4.4.0-4.amzn2023.0.3.aarch64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.aarch64
libtiff-devel-4.4.0-4.amzn2023.0.3.aarch64
src:
libtiff-4.4.0-4.amzn2023.0.3.src
x86_64:
libtiff-debugsource-4.4.0-4.amzn2023.0.3.x86_64
libtiff-4.4.0-4.amzn2023.0.3.x86_64
libtiff-static-4.4.0-4.amzn2023.0.3.x86_64
libtiff-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-4.4.0-4.amzn2023.0.3.x86_64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.3.x86_64
libtiff-devel-4.4.0-4.amzn2023.0.3.x86_64
Amazon Linux AMI: All versions
libtiff: before 4.4.0-4
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2023-050.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
