Amazon Linux 2023 Security Advisory: ALAS-2024-579
Advisory Release Date: 2024-03-27 22:12 Pacific
Advisory Updated Date: 2024-10-24 22:53 Pacific
Severity:
Medium
Issue Overview:
2024-10-24: CVE-2024-31745 was added to this advisory.
In a multiply-corrupted DWARF object libdwarf may try to dealloc(free) an allocation twice.
Results are unpredictable and various. This has been a possibility since we added code to prevent leaks when generating 'unattached' Dwarf_Error records (where there is no Dwarf_Debug available at the point of error).
The problem was introduced in libdwarf-0.1.0 in 2021. (CVE-2024-2002)
Libdwarf v0.9.1 was discovered to contain a heap use-after-free via the dw_empty_errlist_item function at /libdwarf/dwarf_alloc.c. (CVE-2024-31745)
Affected Packages:
libdwarf
Issue Correction:
Run dnf update libdwarf --releasever 2023.4.20240401 to update your system.
New Packages:
aarch64:
libdwarf-static-0.5.0-1.amzn2023.0.3.aarch64
libdwarf-debuginfo-0.5.0-1.amzn2023.0.3.aarch64
libdwarf-0.5.0-1.amzn2023.0.3.aarch64
libdwarf-tools-debuginfo-0.5.0-1.amzn2023.0.3.aarch64
libdwarf-debugsource-0.5.0-1.amzn2023.0.3.aarch64
libdwarf-devel-0.5.0-1.amzn2023.0.3.aarch64
libdwarf-tools-0.5.0-1.amzn2023.0.3.aarch64
src:
libdwarf-0.5.0-1.amzn2023.0.3.src
x86_64:
libdwarf-static-0.5.0-1.amzn2023.0.3.x86_64
libdwarf-tools-debuginfo-0.5.0-1.amzn2023.0.3.x86_64
libdwarf-devel-0.5.0-1.amzn2023.0.3.x86_64
libdwarf-tools-0.5.0-1.amzn2023.0.3.x86_64
libdwarf-0.5.0-1.amzn2023.0.3.x86_64
libdwarf-debuginfo-0.5.0-1.amzn2023.0.3.x86_64
libdwarf-debugsource-0.5.0-1.amzn2023.0.3.x86_64