ALAS2023-2025-969

Amazon Linux 2023 Security Advisory: ALAS2023-2025-969
Advisory Released Date: 2025-05-13
Advisory Updated Date: 2025-05-13

Severity: Medium

References: CVE-2025-1352 CVE-2025-1372
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A vulnerability has been found in GNU elfutils 0.192 and classified as critical. This vulnerability affects the function __libdw_thread_tail in the library libdw_alloc.c of the component eu-readelf. The manipulation of the argument w leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 2636426a091bd6c6f7f02e49ab20d4cdc6bfc753. It is recommended to apply a patch to fix this issue. (CVE-2025-1352)

A vulnerability was found in GNU elfutils 0.192. It has been declared as critical. Affected by this vulnerability is the function dump_data_section/print_string_section of the file readelf.c of the component eu-readelf. The manipulation of the argument z/x leads to buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 73db9d2021cab9e23fd734b0a76a612d52a6f1db. It is recommended to apply a patch to fix this issue. (CVE-2025-1372)

Affected Packages:

elfutils

Issue Correction:
Run dnf update elfutils --releasever 2023.7.20250512 to update your system.

New Packages:

aarch64:
    elfutils-libelf-devel-0.188-3.amzn2023.0.3.aarch64
    elfutils-debuginfo-0.188-3.amzn2023.0.3.aarch64
    elfutils-debuginfod-client-devel-0.188-3.amzn2023.0.3.aarch64
    elfutils-debuginfod-debuginfo-0.188-3.amzn2023.0.3.aarch64
    elfutils-devel-0.188-3.amzn2023.0.3.aarch64
    elfutils-libelf-debuginfo-0.188-3.amzn2023.0.3.aarch64
    elfutils-libs-debuginfo-0.188-3.amzn2023.0.3.aarch64
    elfutils-debuginfod-client-debuginfo-0.188-3.amzn2023.0.3.aarch64
    elfutils-debuginfod-0.188-3.amzn2023.0.3.aarch64
    elfutils-libelf-0.188-3.amzn2023.0.3.aarch64
    elfutils-debugsource-0.188-3.amzn2023.0.3.aarch64
    elfutils-debuginfod-client-0.188-3.amzn2023.0.3.aarch64
    elfutils-libs-0.188-3.amzn2023.0.3.aarch64
    elfutils-0.188-3.amzn2023.0.3.aarch64

noarch:
    elfutils-default-yama-scope-0.188-3.amzn2023.0.3.noarch

src:
    elfutils-0.188-3.amzn2023.0.3.src

x86_64:
    elfutils-libelf-debuginfo-0.188-3.amzn2023.0.3.x86_64
    elfutils-debuginfo-0.188-3.amzn2023.0.3.x86_64
    elfutils-debuginfod-debuginfo-0.188-3.amzn2023.0.3.x86_64
    elfutils-libelf-0.188-3.amzn2023.0.3.x86_64
    elfutils-devel-0.188-3.amzn2023.0.3.x86_64
    elfutils-libelf-devel-0.188-3.amzn2023.0.3.x86_64
    elfutils-debuginfod-client-debuginfo-0.188-3.amzn2023.0.3.x86_64
    elfutils-libs-debuginfo-0.188-3.amzn2023.0.3.x86_64
    elfutils-0.188-3.amzn2023.0.3.x86_64
    elfutils-debuginfod-client-0.188-3.amzn2023.0.3.x86_64
    elfutils-debuginfod-client-devel-0.188-3.amzn2023.0.3.x86_64
    elfutils-debuginfod-0.188-3.amzn2023.0.3.x86_64
    elfutils-libs-0.188-3.amzn2023.0.3.x86_64
    elfutils-debugsource-0.188-3.amzn2023.0.3.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2025-1352, CVE-2025-1372

Mitre: CVE-2025-1352, CVE-2025-1372