Amazon Linux 2023 Security Advisory: ALAS-2024-705
Advisory Release Date: 2024-08-14 19:14 Pacific
Advisory Updated Date: 2024-08-19 10:50 Pacific
Severity:
Medium
Issue Overview:
The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains a heap-based buffer overflow that allows an attacker to overwrite two bytes at multiple offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10, i=11, etc. (CVE-2023-52168)
The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains an out-of-bounds read that allows an attacker to read beyond the intended buffer. The bytes read beyond the intended buffer are presented as a part of a filename listed in the file system image. This has security relevance in some known web-service use cases where untrusted users can upload files and have them extracted by a server-side 7-Zip process. (CVE-2023-52169)
Affected Packages:
p7zip
Issue Correction:
Run dnf update p7zip --releasever 2023.5.20240819 to update your system.
New Packages:
aarch64:
p7zip-plugins-debuginfo-16.02-20.amzn2023.0.6.aarch64
p7zip-plugins-16.02-20.amzn2023.0.6.aarch64
p7zip-16.02-20.amzn2023.0.6.aarch64
p7zip-debugsource-16.02-20.amzn2023.0.6.aarch64
noarch:
p7zip-doc-16.02-20.amzn2023.0.6.noarch
src:
p7zip-16.02-20.amzn2023.0.6.src
x86_64:
p7zip-plugins-debuginfo-16.02-20.amzn2023.0.6.x86_64
p7zip-16.02-20.amzn2023.0.6.x86_64
p7zip-plugins-16.02-20.amzn2023.0.6.x86_64
p7zip-debugsource-16.02-20.amzn2023.0.6.x86_64