Amazon Linux 2022 Security Advisory: ALAS-2022-158
Advisory Release Date: 2022-11-01 21:23 Pacific
Advisory Updated Date: 2022-11-03 21:04 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
An out-of-bounds access flaw was found in zlib, which allows memory corruption when deflating (ex: when compressing) if the input has many distant matches. For some rare inputs with a large number of distant matches (crafted payloads), the buffer into which the compressed or deflated data is written can overwrite the distance symbol table which it overlays. This issue results in corrupted output due to invalid distances, which leads to out-of-bound access, corrupting the memory and potentially crashing the application. (CVE-2018-25032)
A flaw was found in rsync that is triggered by a victim rsync user/client connecting to a malicious rsync server. The server can copy and overwrite arbitrary files in the client's rsync target directory and subdirectories. This flaw allows a malicious server, or in some cases, another attacker who performs a man-in-the-middle attack, to potentially overwrite sensitive files on the client machine, resulting in further exploitation. (CVE-2022-29154)
A security vulnerability was found in zlib. The flaw triggered a heap-based buffer in inflate in the inflate.c function via a large gzip header extra field. This flaw is only applicable in the call inflateGetHeader. (CVE-2022-37434)
Affected Packages:
rsync
Issue Correction:
Run dnf update rsync --releasever=2022.0.20221102 to update your system.
aarch64:
rsync-debuginfo-3.2.6-1.amzn2022.0.2.aarch64
rsync-debugsource-3.2.6-1.amzn2022.0.2.aarch64
rsync-3.2.6-1.amzn2022.0.2.aarch64
noarch:
rsync-daemon-3.2.6-1.amzn2022.0.2.noarch
src:
rsync-3.2.6-1.amzn2022.0.2.src
x86_64:
rsync-debuginfo-3.2.6-1.amzn2022.0.2.x86_64
rsync-debugsource-3.2.6-1.amzn2022.0.2.x86_64
rsync-3.2.6-1.amzn2022.0.2.x86_64