ALAS2023-2023-225

Amazon Linux 2023 Security Advisory: ALAS-2023-225
Advisory Release Date: 2023-06-21 19:10 Pacific
Advisory Updated Date: 2023-06-27 20:58 Pacific
Severity: Medium
Issue Overview:

The upstream bug report describes this issue as follows:

A vulnerability was found in GLib2.0, where DoS caused by handling a malicious text-form variant which is structured to cause looping superlinear to its text size. Applications are at risk if they parse untrusted text-form variants. (CVE-2023-24593)

The upstream bug report describes this issue as follows:

A vulnerability was found in GLib2.0, where DoS caused by handling a malicious text-form variant which is structured to cause looping superlinear to its text size. Applications are at risk if they parse untrusted text-form variants. (CVE-2023-25180)

GLib's GVariant deserialization prior to GLib 2.74.4 failed to validate the input conforms to the expected format, leading to denial of service. (CVE-2023-29499)

GLib's GVariant deserialization prior to GLib 2.74.4 is vulnerable to a slowdown issue where a crafted GVariant can cause excessive processing, leading to denial of service. (CVE-2023-32611)

GLib's GVariant deserialization prior to GLib 2.74.4 is vulnerable to an exponential blowup issue where a crafted GVariant can cause excessive processing, leading to denial of service. (CVE-2023-32665)


Affected Packages:

glib2


Issue Correction:
Run dnf update glib2 --releasever 2023.1.20230628 to update your system.

New Packages:
aarch64:
    glib2-static-2.74.7-688.amzn2023.0.1.aarch64
    glib2-devel-debuginfo-2.74.7-688.amzn2023.0.1.aarch64
    glib2-2.74.7-688.amzn2023.0.1.aarch64
    glib2-debuginfo-2.74.7-688.amzn2023.0.1.aarch64
    glib2-devel-2.74.7-688.amzn2023.0.1.aarch64
    glib2-debugsource-2.74.7-688.amzn2023.0.1.aarch64
    glib2-tests-2.74.7-688.amzn2023.0.1.aarch64
    glib2-tests-debuginfo-2.74.7-688.amzn2023.0.1.aarch64

noarch:
    glib2-doc-2.74.7-688.amzn2023.0.1.noarch

src:
    glib2-2.74.7-688.amzn2023.0.1.src

x86_64:
    glib2-static-2.74.7-688.amzn2023.0.1.x86_64
    glib2-debuginfo-2.74.7-688.amzn2023.0.1.x86_64
    glib2-devel-debuginfo-2.74.7-688.amzn2023.0.1.x86_64
    glib2-debugsource-2.74.7-688.amzn2023.0.1.x86_64
    glib2-2.74.7-688.amzn2023.0.1.x86_64
    glib2-devel-2.74.7-688.amzn2023.0.1.x86_64
    glib2-tests-2.74.7-688.amzn2023.0.1.x86_64
    glib2-tests-debuginfo-2.74.7-688.amzn2023.0.1.x86_64

Additional References

Red Hat: CVE-2023-24593, CVE-2023-25180, CVE-2023-29499, CVE-2023-32611, CVE-2023-32665

Mitre: CVE-2023-24593, CVE-2023-25180, CVE-2023-29499, CVE-2023-32611, CVE-2023-32665