ALAS2023-2024-728

Amazon Linux 2023 Security Advisory: ALAS2023-2024-728
Advisory Released Date: 2024-10-14
Advisory Updated Date: 2024-10-14

Severity: Medium

References: CVE-2024-40897
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Stack-based buffer overflow vulnerability exists in orcparse.c of ORC versions prior to 0.4.39. If a developer is tricked to process a specially crafted file with the affected ORC compiler, an arbitrary code may be executed on the developer's build environment. (CVE-2024-40897)

Affected Packages:

orc

Issue Correction:
Run dnf update orc --releasever 2023.6.20241010 to update your system.

New Packages:

aarch64:
    orc-debuginfo-0.4.31-4.amzn2023.0.4.aarch64
    orc-devel-0.4.31-4.amzn2023.0.4.aarch64
    orc-compiler-0.4.31-4.amzn2023.0.4.aarch64
    orc-0.4.31-4.amzn2023.0.4.aarch64
    orc-compiler-debuginfo-0.4.31-4.amzn2023.0.4.aarch64
    orc-debugsource-0.4.31-4.amzn2023.0.4.aarch64

noarch:
    orc-doc-0.4.31-4.amzn2023.0.4.noarch

src:
    orc-0.4.31-4.amzn2023.0.4.src

x86_64:
    orc-compiler-0.4.31-4.amzn2023.0.4.x86_64
    orc-devel-0.4.31-4.amzn2023.0.4.x86_64
    orc-compiler-debuginfo-0.4.31-4.amzn2023.0.4.x86_64
    orc-0.4.31-4.amzn2023.0.4.x86_64
    orc-debugsource-0.4.31-4.amzn2023.0.4.x86_64
    orc-debuginfo-0.4.31-4.amzn2023.0.4.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2024-40897

Mitre: CVE-2024-40897