Amazon Linux 2023 Security Advisory: ALAS2023-2025-1212
Advisory Released Date: 2025-10-14
Advisory Updated Date: 2025-10-14
A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x. (CVE-2023-1916)
A heap-buffer-overflow vulnerability was found in LibTIFF, in extractImageSection() at tools/tiffcrop.c:7916 and tools/tiffcrop.c:7801. This flaw allows attackers to cause a denial of service via a crafted tiff file. (CVE-2023-3164)
A vulnerability was identified in LibTIFF 4.7.0. This issue affects the function May of the file tiffcrop.c of the component tiffcrop. The manipulation leads to memory corruption. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. (CVE-2025-8961)
Affected Packages:
libtiff
Issue Correction:
Run dnf update libtiff --releasever 2023.9.20251014 or dnf update --advisory ALAS2023-2025-1212 --releasever 2023.9.20251014 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
aarch64:
libtiff-static-4.4.0-4.amzn2023.0.23.aarch64
libtiff-tools-4.4.0-4.amzn2023.0.23.aarch64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.23.aarch64
libtiff-debugsource-4.4.0-4.amzn2023.0.23.aarch64
libtiff-debuginfo-4.4.0-4.amzn2023.0.23.aarch64
libtiff-4.4.0-4.amzn2023.0.23.aarch64
libtiff-devel-4.4.0-4.amzn2023.0.23.aarch64
src:
libtiff-4.4.0-4.amzn2023.0.23.src
x86_64:
libtiff-debuginfo-4.4.0-4.amzn2023.0.23.x86_64
libtiff-static-4.4.0-4.amzn2023.0.23.x86_64
libtiff-tools-4.4.0-4.amzn2023.0.23.x86_64
libtiff-debugsource-4.4.0-4.amzn2023.0.23.x86_64
libtiff-4.4.0-4.amzn2023.0.23.x86_64
libtiff-tools-debuginfo-4.4.0-4.amzn2023.0.23.x86_64
libtiff-devel-4.4.0-4.amzn2023.0.23.x86_64