ALAS2-2020-1543

Amazon Linux 2 Security Advisory: ALAS-2020-1543
Advisory Release Date: 2020-10-22 18:38 Pacific
Advisory Updated Date: 2023-08-03 18:09 Pacific

Severity: Medium

References: CVE-2020-0569 CVE-2020-0570 CVE-2020-24742
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

2023-08-03: CVE-2020-24742 was added to this advisory.

Files placed by attacker can influence the working directory and lead to malicious code execution (CVE-2020-0569)

Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access. (CVE-2020-0570)

An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files. (CVE-2020-24742)

Affected Packages:

qt5-qtbase

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update qt5-qtbase to update your system.

New Packages:

aarch64:
    qt5-qtbase-5.9.2-3.amzn2.0.3.aarch64
    qt5-qtbase-devel-5.9.2-3.amzn2.0.3.aarch64
    qt5-qtbase-doc-5.9.2-3.amzn2.0.3.aarch64
    qt5-qtbase-examples-5.9.2-3.amzn2.0.3.aarch64
    qt5-qtbase-static-5.9.2-3.amzn2.0.3.aarch64
    qt5-qtbase-mysql-5.9.2-3.amzn2.0.3.aarch64
    qt5-qtbase-odbc-5.9.2-3.amzn2.0.3.aarch64
    qt5-qtbase-postgresql-5.9.2-3.amzn2.0.3.aarch64
    qt5-qtbase-gui-5.9.2-3.amzn2.0.3.aarch64
    qt5-qtbase-debuginfo-5.9.2-3.amzn2.0.3.aarch64

i686:
    qt5-qtbase-5.9.2-3.amzn2.0.3.i686
    qt5-qtbase-devel-5.9.2-3.amzn2.0.3.i686
    qt5-qtbase-doc-5.9.2-3.amzn2.0.3.i686
    qt5-qtbase-examples-5.9.2-3.amzn2.0.3.i686
    qt5-qtbase-static-5.9.2-3.amzn2.0.3.i686
    qt5-qtbase-mysql-5.9.2-3.amzn2.0.3.i686
    qt5-qtbase-odbc-5.9.2-3.amzn2.0.3.i686
    qt5-qtbase-postgresql-5.9.2-3.amzn2.0.3.i686
    qt5-qtbase-gui-5.9.2-3.amzn2.0.3.i686
    qt5-qtbase-debuginfo-5.9.2-3.amzn2.0.3.i686

noarch:
    qt5-qtbase-common-5.9.2-3.amzn2.0.3.noarch
    qt5-rpm-macros-5.9.2-3.amzn2.0.3.noarch

src:
    qt5-qtbase-5.9.2-3.amzn2.0.3.src

x86_64:
    qt5-qtbase-5.9.2-3.amzn2.0.3.x86_64
    qt5-qtbase-devel-5.9.2-3.amzn2.0.3.x86_64
    qt5-qtbase-doc-5.9.2-3.amzn2.0.3.x86_64
    qt5-qtbase-examples-5.9.2-3.amzn2.0.3.x86_64
    qt5-qtbase-static-5.9.2-3.amzn2.0.3.x86_64
    qt5-qtbase-mysql-5.9.2-3.amzn2.0.3.x86_64
    qt5-qtbase-odbc-5.9.2-3.amzn2.0.3.x86_64
    qt5-qtbase-postgresql-5.9.2-3.amzn2.0.3.x86_64
    qt5-qtbase-gui-5.9.2-3.amzn2.0.3.x86_64
    qt5-qtbase-debuginfo-5.9.2-3.amzn2.0.3.x86_64

Additional References

Red Hat: CVE-2020-0569, CVE-2020-0570, CVE-2020-24742

Mitre: CVE-2020-0569, CVE-2020-0570, CVE-2020-24742