ALAS2023-2023-004

Amazon Linux 2023 Security Advisory: ALAS2023-2023-004
Advisory Released Date: 2023-03-22
Advisory Updated Date: 2023-03-22

Severity: Medium

References: CVE-2019-19004 CVE-2019-19005
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A biWidth*biBitCnt integer overflow in input-bmp.c in autotrace 0.31.1 allows attackers to provide an unexpected input value to malloc via a malformed bitmap image. (CVE-2019-19004)

A bitmap double free in main.c in autotrace 0.31.1 allows attackers to cause an unspecified impact via a malformed bitmap image. This may occur after the use-after-free in CVE-2017-9182. (CVE-2019-19005)

Affected Packages:

autotrace

Issue Correction:
Run dnf update autotrace --releasever 2023.0.20230322 or dnf update --advisory ALAS2023-2023-004 --releasever 2023.0.20230322 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    autotrace-devel-0.31.1-62.amzn2023.0.2.aarch64
    autotrace-0.31.1-62.amzn2023.0.2.aarch64
    autotrace-debugsource-0.31.1-62.amzn2023.0.2.aarch64
    autotrace-debuginfo-0.31.1-62.amzn2023.0.2.aarch64

src:
    autotrace-0.31.1-62.amzn2023.0.2.src

x86_64:
    autotrace-debuginfo-0.31.1-62.amzn2023.0.2.x86_64
    autotrace-devel-0.31.1-62.amzn2023.0.2.x86_64
    autotrace-0.31.1-62.amzn2023.0.2.x86_64
    autotrace-debugsource-0.31.1-62.amzn2023.0.2.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2019-19004, CVE-2019-19005

Mitre: CVE-2019-19004, CVE-2019-19005