ALAS2-2025-2903

Amazon Linux 2 Security Advisory: ALAS2-2025-2903
Advisory Released Date: 2025-06-24
Advisory Updated Date: 2025-06-24

Severity: Medium

References: CVE-2025-2750 CVE-2025-2751 CVE-2025-2757 CVE-2025-3158
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A vulnerability, which was classified as critical, was found in Open Asset Import Library Assimp 5.4.3. This affects the function Assimp::CSMImporter::InternReadFile of the file code/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. The manipulation leads to out-of-bounds write. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. (CVE-2025-2750)

A vulnerability has been found in Open Asset Import Library Assimp 5.4.3 and classified as problematic. This vulnerability affects the function Assimp::CSMImporter::InternReadFile of the file code/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. The manipulation of the argument na leads to out-of-bounds read. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. (CVE-2025-2751)

A vulnerability classified as critical was found in Open Asset Import Library Assimp 5.4.3. This vulnerability affects the function AI_MD5_PARSE_STRING_IN_QUOTATION of the file code/AssetLib/MD5/MD5Parser.cpp of the component MD5 File Handler. The manipulation of the argument data leads to heap-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. (CVE-2025-2757)

A vulnerability, which was classified as critical, has been found in Open Asset Import Library Assimp 5.4.3. Affected by this issue is the function Assimp::LWO::AnimResolver::UpdateAnimRangeSetup of the file code/AssetLib/LWO/LWOAnimation.cpp of the component LWO File Handler. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. (CVE-2025-3158)

Affected Packages:

qt5-qt3d

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update qt5-qt3d to update your system.

New Packages:

aarch64:
    qt5-qt3d-5.15.3-1.amzn2.0.6.aarch64
    qt5-qt3d-devel-5.15.3-1.amzn2.0.6.aarch64
    qt5-qt3d-examples-5.15.3-1.amzn2.0.6.aarch64
    qt5-qt3d-debuginfo-5.15.3-1.amzn2.0.6.aarch64

i686:
    qt5-qt3d-5.15.3-1.amzn2.0.6.i686
    qt5-qt3d-devel-5.15.3-1.amzn2.0.6.i686
    qt5-qt3d-examples-5.15.3-1.amzn2.0.6.i686
    qt5-qt3d-debuginfo-5.15.3-1.amzn2.0.6.i686

src:
    qt5-qt3d-5.15.3-1.amzn2.0.6.src

x86_64:
    qt5-qt3d-5.15.3-1.amzn2.0.6.x86_64
    qt5-qt3d-devel-5.15.3-1.amzn2.0.6.x86_64
    qt5-qt3d-examples-5.15.3-1.amzn2.0.6.x86_64
    qt5-qt3d-debuginfo-5.15.3-1.amzn2.0.6.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2025-2750, CVE-2025-2751, CVE-2025-2757, CVE-2025-3158

Mitre: CVE-2025-2750, CVE-2025-2751, CVE-2025-2757, CVE-2025-3158