ALAS-2024-508

Amazon Linux 2023 Security Advisory: ALAS-2024-508
Advisory Release Date: 2024-02-01 17:56 Pacific
Advisory Updated Date: 2024-02-06 15:00 Pacific
Severity: Important
Issue Overview:

A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999.

NOTE: https://sqlite.org/forum/forumpost/5bcbf4571c
NOTE: Fixed by: https://sqlite.org/src/info/0e4e7a05c4204b47 (CVE-2023-7104)


Affected Packages:

polkit


Issue Correction:
Run dnf update polkit --releasever 2023.3.20240205 to update your system.

New Packages:
aarch64:
    polkit-libs-debuginfo-0.117-11.amzn2023.0.1.aarch64
    polkit-devel-0.117-11.amzn2023.0.1.aarch64
    polkit-debuginfo-0.117-11.amzn2023.0.1.aarch64
    polkit-libs-0.117-11.amzn2023.0.1.aarch64
    polkit-0.117-11.amzn2023.0.1.aarch64
    polkit-debugsource-0.117-11.amzn2023.0.1.aarch64

noarch:
    polkit-docs-0.117-11.amzn2023.0.1.noarch

src:
    polkit-0.117-11.amzn2023.0.1.src

x86_64:
    polkit-libs-debuginfo-0.117-11.amzn2023.0.1.x86_64
    polkit-debuginfo-0.117-11.amzn2023.0.1.x86_64
    polkit-devel-0.117-11.amzn2023.0.1.x86_64
    polkit-libs-0.117-11.amzn2023.0.1.x86_64
    polkit-0.117-11.amzn2023.0.1.x86_64
    polkit-debugsource-0.117-11.amzn2023.0.1.x86_64

Additional References

Red Hat: CVE-2023-7104

Mitre: CVE-2023-7104