ALAS2-2025-2910

Amazon Linux 2 Security Advisory: ALAS2-2025-2910
Advisory Released Date: 2025-07-10
Advisory Updated Date: 2025-07-10

Severity: Medium

References: CVE-2025-6196
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A flaw was found in libgepub, a library used to read EPUB files. The software mishandles file size calculations when opening specially crafted EPUB files, leading to incorrect memory allocations. This issue causes the application to crash. Known affected usage includes desktop services like Tumbler, which may process malicious files automatically when browsing directories. While no direct remote attack vectors are confirmed, any application using libgepub to parse user-supplied EPUB content could be vulnerable to a denial of service. (CVE-2025-6196)

Affected Packages:

libgepub

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update libgepub to update your system.

New Packages:

aarch64:
    libgepub-0.6.0-1.amzn2.0.1.aarch64
    libgepub-devel-0.6.0-1.amzn2.0.1.aarch64
    libgepub-debuginfo-0.6.0-1.amzn2.0.1.aarch64

i686:
    libgepub-0.6.0-1.amzn2.0.1.i686
    libgepub-devel-0.6.0-1.amzn2.0.1.i686
    libgepub-debuginfo-0.6.0-1.amzn2.0.1.i686

src:
    libgepub-0.6.0-1.amzn2.0.1.src

x86_64:
    libgepub-0.6.0-1.amzn2.0.1.x86_64
    libgepub-devel-0.6.0-1.amzn2.0.1.x86_64
    libgepub-debuginfo-0.6.0-1.amzn2.0.1.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2025-6196

Mitre: CVE-2025-6196