ALAS2-2021-1605

Affecting glibc-langpack-en package, versions <2.26-41.amzn2

Report new vulnerabilities
high severity
Do your applications use this vulnerable package? Test your applications

Overview

Affected versions of this package are vulnerable to ALAS2-2021-1605. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-6096: 1820331: CVE-2020-6096 glibc: signed comparison vulnerability in the ARMv7 memcpy function A signed comparison vulnerability was found in GNU libc in the ARMv7 implementation of memcpy(). The flaw affects the third argument to memcpy() that specifies the number of bytes to copy. An underflow on the third argument could lead to undefined behavior such as out-of-bounds memory write and potentially remote code execution. CVE-2020-29562: A denial of service flaw was found in the way glibc's iconv function handled UCS4 text containing an irreversible character. This flaw causes an application compiled with glibc and using the vulnerable function to terminate with an assertion, resulting in a denial of service. The highest threat from this vulnerability is to system availability. 1905217: CVE-2020-29562 glibc: assertion failure in iconv when converting invalid UCS4 CVE-2019-25013: A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. 1912960: CVE-2019-25013 glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding CVE-2016-10228: 1428290: CVE-2016-10228 glibc: iconv program can hang when invoked with the -c option The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.

Remediation

Upgrade glibc-langpack-en to version or higher.

References

CVE
ALAS2-2021-1605
Snyk ID
SNYK-AMZN2-GLIBCLANGPACKEN-1077453
Published
20 Feb, 2021