ALAS-2023-075

Amazon Linux 2023 Security Advisory: ALAS-2023-075
Advisory Release Date: 2023-02-17 20:46 Pacific
Advisory Updated Date: 2024-01-19 01:31 Pacific

Severity: Medium

References: CVE-2020-23922 CVE-2022-28506
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

2024-01-19: CVE-2020-23922 was added to this advisory.

An issue was discovered in giflib through 5.1.4. DumpScreen2RGB in gif2rgb.c has a heap-based buffer over-read. (CVE-2020-23922)

There is a heap-buffer-overflow in GIFLIB 5.2.1 function DumpScreen2RGB() in gif2rgb.c:298:45. (CVE-2022-28506)

Affected Packages:

giflib

Issue Correction:
Run dnf update giflib --releasever=2023.0.20230222 to update your system.

New Packages:

aarch64:
    giflib-debuginfo-5.2.1-9.amzn2023.aarch64
    giflib-utils-debuginfo-5.2.1-9.amzn2023.aarch64
    giflib-debugsource-5.2.1-9.amzn2023.aarch64
    giflib-5.2.1-9.amzn2023.aarch64
    giflib-utils-5.2.1-9.amzn2023.aarch64
    giflib-devel-5.2.1-9.amzn2023.aarch64

src:
    giflib-5.2.1-9.amzn2023.src

x86_64:
    giflib-debugsource-5.2.1-9.amzn2023.x86_64
    giflib-utils-debuginfo-5.2.1-9.amzn2023.x86_64
    giflib-devel-5.2.1-9.amzn2023.x86_64
    giflib-debuginfo-5.2.1-9.amzn2023.x86_64
    giflib-5.2.1-9.amzn2023.x86_64
    giflib-utils-5.2.1-9.amzn2023.x86_64

Additional References

Red Hat: CVE-2020-23922, CVE-2022-28506

Mitre: CVE-2020-23922, CVE-2022-28506

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

ALAS-2023-075

Additional References