发布于3月6日3月6日 Members Amazon Linux 2023: CVE-2023-0797: Important priority package update for libtiff Severity 6 CVSS (AV:L/AC:L/Au:N/C:P/I:N/A:C) Published 02/12/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and tools/tiffcrop.c:6921, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e. A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the _TIFFmemcpy function in libtiff/tif_unix.c when called by functions in tools/tiffcrop.c, resulting in a Denial of Service and limited information disclosure. Solution(s) amazon-linux-2023-upgrade-libtiff amazon-linux-2023-upgrade-libtiff-debuginfo amazon-linux-2023-upgrade-libtiff-debugsource amazon-linux-2023-upgrade-libtiff-devel amazon-linux-2023-upgrade-libtiff-static amazon-linux-2023-upgrade-libtiff-tools amazon-linux-2023-upgrade-libtiff-tools-debuginfo References https://attackerkb.com/topics/cve-2023-0797 CVE - 2023-0797 https://alas.aws.amazon.com/AL2023/ALAS-2023-255.html
