ALAS-2023-1740

Amazon Linux 1 (EOL) Security Advisory: ALAS-2023-1740
Advisory Released Date: 2023-05-03
Advisory Updated Date: 2023-05-03

Severity: Medium

References: CVE-2020-36330 CVE-2020-36331
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ChunkVerifyAndAssign. The highest threat from this vulnerability is to data confidentiality and to the service availability. (CVE-2020-36330)

A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ChunkAssignData. The highest threat from this vulnerability is to data confidentiality and to the service availability. (CVE-2020-36331)

Affected Packages:

libwebp

Issue Correction:
Run yum update libwebp or yum update --advisory ALAS-2023-1740 to update your system.

New Packages:

i686:
    libwebp-devel-0.3.0-10.8.amzn1.i686
    libwebp-0.3.0-10.8.amzn1.i686
    libwebp-java-0.3.0-10.8.amzn1.i686
    libwebp-tools-0.3.0-10.8.amzn1.i686
    libwebp-debuginfo-0.3.0-10.8.amzn1.i686

src:
    libwebp-0.3.0-10.8.amzn1.src

x86_64:
    libwebp-devel-0.3.0-10.8.amzn1.x86_64
    libwebp-0.3.0-10.8.amzn1.x86_64
    libwebp-java-0.3.0-10.8.amzn1.x86_64
    libwebp-tools-0.3.0-10.8.amzn1.x86_64
    libwebp-debuginfo-0.3.0-10.8.amzn1.x86_64

Additional References

Red Hat: CVE-2020-36330, CVE-2020-36331

Mitre: CVE-2020-36330, CVE-2020-36331