Amazon Linux 2 Security Advisory: ALAS-2024-2681
Advisory Release Date: 2024-10-24 23:54 Pacific
Advisory Updated Date: 2024-10-31 18:00 Pacific
An integer overflow vulnerability exists in the Compound Document Binary File format parser of the GNOME Project G Structured File Library (libgsf) version v1.14.52. A specially crafted file can result in an integer overflow when processing the directory from the file that allows for an out-of-bounds index to be used when reading and writing to an array. This can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. (CVE-2024-36474)
An integer overflow vulnerability exists in the Compound Document Binary File format parser of v1.14.52 of the GNOME Project G Structured File Library (libgsf). A specially crafted file can result in an integer overflow that allows for a heap-based buffer overflow when processing the sector allocation table. This can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. (CVE-2024-42415)
Affected Packages:
libgsf
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update libgsf to update your system.
aarch64:
libgsf-1.14.26-7.amzn2.0.3.aarch64
libgsf-devel-1.14.26-7.amzn2.0.3.aarch64
libgsf-debuginfo-1.14.26-7.amzn2.0.3.aarch64
i686:
libgsf-1.14.26-7.amzn2.0.3.i686
libgsf-devel-1.14.26-7.amzn2.0.3.i686
libgsf-debuginfo-1.14.26-7.amzn2.0.3.i686
src:
libgsf-1.14.26-7.amzn2.0.3.src
x86_64:
libgsf-1.14.26-7.amzn2.0.3.x86_64
libgsf-devel-1.14.26-7.amzn2.0.3.x86_64
libgsf-debuginfo-1.14.26-7.amzn2.0.3.x86_64