<p>Upgrade <code>Amazon-Linux:2018.03</code> <code>libcom_err</code> to version 0:1.43.5-2.44.amzn1 or higher.<br>This issue was patched in <code>ALAS-2021-1458</code>.</p>

Out-of-bounds Write Affecting libcom_err package, versions <0:1.43.5-2.44.amzn1

Snyk CVSS

Attack Complexity High

Privileges Required High

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS 0.08% (35^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-AMZN201803-LIBCOMERR-1724627
published 27 Sep 2021
disclosed 24 Sep 2019

Report a new vulnerability Found a mistake?

Introduced: 24 Sep 2019

CVE-2019-5094 Open this link in a new tab CWE-787 Open this link in a new tab

How to fix?

Upgrade Amazon-Linux:2018.03 libcom_err to version 0:1.43.5-2.44.amzn1 or higher.
This issue was patched in ALAS-2021-1458.

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcom_err package and not the libcom_err package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2018.03 relevant fixed versions and status.

An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.