Amazon Linux 2 Security Advisory: ALAS-2025-2727
Advisory Release Date: 2025-01-04 00:04 Pacific
Advisory Updated Date: 2025-01-09 15:39 Pacific
Severity:
Medium
Issue Overview:
Stack-based buffer overflow vulnerability exists in orcparse.c of ORC versions prior to 0.4.39. If a developer is tricked to process a specially crafted file with the affected ORC compiler, an arbitrary code may be executed on the developer's build environment. (CVE-2024-40897)
Affected Packages:
orc
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update orc to update your system.
New Packages:
aarch64:
orc-0.4.26-1.amzn2.0.3.aarch64
orc-devel-0.4.26-1.amzn2.0.3.aarch64
orc-compiler-0.4.26-1.amzn2.0.3.aarch64
orc-debuginfo-0.4.26-1.amzn2.0.3.aarch64
i686:
orc-0.4.26-1.amzn2.0.3.i686
orc-devel-0.4.26-1.amzn2.0.3.i686
orc-compiler-0.4.26-1.amzn2.0.3.i686
orc-debuginfo-0.4.26-1.amzn2.0.3.i686
noarch:
orc-doc-0.4.26-1.amzn2.0.3.noarch
src:
orc-0.4.26-1.amzn2.0.3.src
x86_64:
orc-0.4.26-1.amzn2.0.3.x86_64
orc-devel-0.4.26-1.amzn2.0.3.x86_64
orc-compiler-0.4.26-1.amzn2.0.3.x86_64
orc-debuginfo-0.4.26-1.amzn2.0.3.x86_64