ALAS2-2020-1509

Affecting libcom_err package, versions <1.42.9-19.amzn2

Report new vulnerabilities
medium severity
Do your applications use this vulnerable package? Test your applications

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1509. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-5188: 1790048: CVE-2019-5188 e2fsprogs: Out-of-bounds write in e2fsck/rehash.c A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. CVE-2019-5094: 1768555: CVE-2019-5094 e2fsprogs: Crafted ext4 partition leads to out-of-bounds write An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.

Remediation

Upgrade libcom_err to version or higher.

References

CVE
ALAS2-2020-1509
Snyk ID
SNYK-AMZN2-LIBCOMERR-1022408
Published
28 Oct, 2020