Amazon Linux 2023 Security Advisory: ALAS-2023-159
Advisory Release Date: 2023-04-13 17:56 Pacific
Advisory Updated Date: 2023-04-19 21:51 Pacific
Severity:
Medium
Issue Overview:
In pkgconf through 1.9.3, variable duplication can cause unbounded string expansion due to incorrect checks in libpkgconf/tuple.c:pkgconf_tuple_parse. For example, a .pc file containing a few hundred bytes can expand to one billion bytes. (CVE-2023-24056)
Affected Packages:
pkgconf
Issue Correction:
Run dnf update pkgconf --releasever=2023.0.20230419 to update your system.
New Packages:
aarch64:
pkgconf-debugsource-1.8.0-4.amzn2023.0.2.aarch64
libpkgconf-1.8.0-4.amzn2023.0.2.aarch64
libpkgconf-debuginfo-1.8.0-4.amzn2023.0.2.aarch64
libpkgconf-devel-1.8.0-4.amzn2023.0.2.aarch64
pkgconf-1.8.0-4.amzn2023.0.2.aarch64
pkgconf-debuginfo-1.8.0-4.amzn2023.0.2.aarch64
pkgconf-pkg-config-1.8.0-4.amzn2023.0.2.aarch64
noarch:
pkgconf-m4-1.8.0-4.amzn2023.0.2.noarch
src:
pkgconf-1.8.0-4.amzn2023.0.2.src
x86_64:
pkgconf-debugsource-1.8.0-4.amzn2023.0.2.x86_64
libpkgconf-1.8.0-4.amzn2023.0.2.x86_64
pkgconf-debuginfo-1.8.0-4.amzn2023.0.2.x86_64
libpkgconf-devel-1.8.0-4.amzn2023.0.2.x86_64
pkgconf-1.8.0-4.amzn2023.0.2.x86_64
pkgconf-pkg-config-1.8.0-4.amzn2023.0.2.x86_64
libpkgconf-debuginfo-1.8.0-4.amzn2023.0.2.x86_64