Amazon Linux 2 Security Advisory: ALAS2-2025-3019
Advisory Released Date: 2025-10-14
Advisory Updated Date: 2025-10-14
Multiple potential integer overflow in tiffcp.c in libtiff <= 4.5.1 can allow remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image which triggers a heap-based buffer overflow. (CVE-2023-40745)
A vulnerability was identified in LibTIFF 4.7.0. This issue affects the function May of the file tiffcrop.c of the component tiffcrop. The manipulation leads to memory corruption. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. (CVE-2025-8961)
Affected Packages:
libtiff
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update libtiff or yum update --advisory ALAS2-2025-3019 to update your system.
aarch64:
libtiff-4.0.3-35.amzn2.0.26.aarch64
libtiff-devel-4.0.3-35.amzn2.0.26.aarch64
libtiff-static-4.0.3-35.amzn2.0.26.aarch64
libtiff-tools-4.0.3-35.amzn2.0.26.aarch64
libtiff-debuginfo-4.0.3-35.amzn2.0.26.aarch64
i686:
libtiff-4.0.3-35.amzn2.0.26.i686
libtiff-devel-4.0.3-35.amzn2.0.26.i686
libtiff-static-4.0.3-35.amzn2.0.26.i686
libtiff-tools-4.0.3-35.amzn2.0.26.i686
libtiff-debuginfo-4.0.3-35.amzn2.0.26.i686
src:
libtiff-4.0.3-35.amzn2.0.26.src
x86_64:
libtiff-4.0.3-35.amzn2.0.26.x86_64
libtiff-devel-4.0.3-35.amzn2.0.26.x86_64
libtiff-static-4.0.3-35.amzn2.0.26.x86_64
libtiff-tools-4.0.3-35.amzn2.0.26.x86_64
libtiff-debuginfo-4.0.3-35.amzn2.0.26.x86_64