ALAS-2024-527

Amazon Linux 2023 Security Advisory: ALAS-2024-527
Advisory Release Date: 2024-02-15 02:52 Pacific
Advisory Updated Date: 2024-02-19 20:26 Pacific
Severity: Medium
Issue Overview:

buffer overflow via a crafted config6a file

NOTE: Crosses no security boundary, config files are under local control
NOTE: https://gitlab.com/graphviz/graphviz/-/issues/2441
NOTE: Introduced by: https://gitlab.com/graphviz/graphviz/-/commit/cf95714837f06f684929b54659523c2c9b1fc19f (2.38.0)
NOTE: Fixed by: https://gitlab.com/graphviz/graphviz/-/commit/361f274ca901c3c476697a6404662d95f4dd43cb
NOTE: Fixed by: https://gitlab.com/graphviz/graphviz/-/commit/3f31704cafd7da3e86bb2861accf5e90c973e62a
NOTE: Fixed by: https://gitlab.com/graphviz/graphviz/-/commit/a95f977f5d809915ec4b14836d2b5b7f5e74881e (CVE-2023-46045)


Affected Packages:

graphviz


Issue Correction:
Run dnf update graphviz --releasever 2023.3.20240219 to update your system.

New Packages:
aarch64:
    graphviz-perl-debuginfo-2.44.0-25.amzn2023.0.7.aarch64
    graphviz-lua-debuginfo-2.44.0-25.amzn2023.0.7.aarch64
    graphviz-graphs-2.44.0-25.amzn2023.0.7.aarch64
    graphviz-gd-debuginfo-2.44.0-25.amzn2023.0.7.aarch64
    graphviz-ocaml-2.44.0-25.amzn2023.0.7.aarch64
    graphviz-gd-2.44.0-25.amzn2023.0.7.aarch64
    graphviz-doc-2.44.0-25.amzn2023.0.7.aarch64
    graphviz-perl-2.44.0-25.amzn2023.0.7.aarch64
    graphviz-debugsource-2.44.0-25.amzn2023.0.7.aarch64
    graphviz-debuginfo-2.44.0-25.amzn2023.0.7.aarch64
    graphviz-devel-2.44.0-25.amzn2023.0.7.aarch64
    graphviz-java-debuginfo-2.44.0-25.amzn2023.0.7.aarch64
    graphviz-tcl-debuginfo-2.44.0-25.amzn2023.0.7.aarch64
    graphviz-lua-2.44.0-25.amzn2023.0.7.aarch64
    graphviz-java-2.44.0-25.amzn2023.0.7.aarch64
    graphviz-ocaml-debuginfo-2.44.0-25.amzn2023.0.7.aarch64
    graphviz-tcl-2.44.0-25.amzn2023.0.7.aarch64
    graphviz-2.44.0-25.amzn2023.0.7.aarch64

src:
    graphviz-2.44.0-25.amzn2023.0.7.src

x86_64:
    graphviz-ocaml-debuginfo-2.44.0-25.amzn2023.0.7.x86_64
    graphviz-tcl-debuginfo-2.44.0-25.amzn2023.0.7.x86_64
    graphviz-perl-debuginfo-2.44.0-25.amzn2023.0.7.x86_64
    graphviz-graphs-2.44.0-25.amzn2023.0.7.x86_64
    graphviz-lua-2.44.0-25.amzn2023.0.7.x86_64
    graphviz-lua-debuginfo-2.44.0-25.amzn2023.0.7.x86_64
    graphviz-java-debuginfo-2.44.0-25.amzn2023.0.7.x86_64
    graphviz-debugsource-2.44.0-25.amzn2023.0.7.x86_64
    graphviz-perl-2.44.0-25.amzn2023.0.7.x86_64
    graphviz-gd-debuginfo-2.44.0-25.amzn2023.0.7.x86_64
    graphviz-devel-2.44.0-25.amzn2023.0.7.x86_64
    graphviz-tcl-2.44.0-25.amzn2023.0.7.x86_64
    graphviz-gd-2.44.0-25.amzn2023.0.7.x86_64
    graphviz-ocaml-2.44.0-25.amzn2023.0.7.x86_64
    graphviz-java-2.44.0-25.amzn2023.0.7.x86_64
    graphviz-debuginfo-2.44.0-25.amzn2023.0.7.x86_64
    graphviz-doc-2.44.0-25.amzn2023.0.7.x86_64
    graphviz-2.44.0-25.amzn2023.0.7.x86_64

Additional References

Red Hat: CVE-2023-46045

Mitre: CVE-2023-46045