Amazon Linux 2 Security Advisory: ALAS2-2025-2948
Advisory Released Date: 2025-08-04
Advisory Updated Date: 2025-08-04
In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file. A crafted file could allow an attacker to overwrite heap metadata, leading to a denial of service or code execution attack. This occurs in gdk_pixbuf_set_option() in gdk-pixbuf.c. (CVE-2022-48622)
A flaw exists in gdk-pixbuf within the gdk_pixbuf__jpeg_image_load_increment function (io-jpeg.c) and in glib's g_base64_encode_step (glib/gbase64.c). When processing maliciously crafted JPEG images, a heap buffer overflow can occur during Base64 encoding, allowing out-of-bounds reads from heap memory, potentially causing application crashes or arbitrary code execution. (CVE-2025-7345)
Affected Packages:
gdk-pixbuf2
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update gdk-pixbuf2 or yum update --advisory ALAS2-2025-2948 to update your system.
aarch64:
gdk-pixbuf2-2.36.12-3.amzn2.0.2.aarch64
gdk-pixbuf2-devel-2.36.12-3.amzn2.0.2.aarch64
gdk-pixbuf2-tests-2.36.12-3.amzn2.0.2.aarch64
gdk-pixbuf2-debuginfo-2.36.12-3.amzn2.0.2.aarch64
i686:
gdk-pixbuf2-2.36.12-3.amzn2.0.2.i686
gdk-pixbuf2-devel-2.36.12-3.amzn2.0.2.i686
gdk-pixbuf2-tests-2.36.12-3.amzn2.0.2.i686
gdk-pixbuf2-debuginfo-2.36.12-3.amzn2.0.2.i686
src:
gdk-pixbuf2-2.36.12-3.amzn2.0.2.src
x86_64:
gdk-pixbuf2-2.36.12-3.amzn2.0.2.x86_64
gdk-pixbuf2-devel-2.36.12-3.amzn2.0.2.x86_64
gdk-pixbuf2-tests-2.36.12-3.amzn2.0.2.x86_64
gdk-pixbuf2-debuginfo-2.36.12-3.amzn2.0.2.x86_64