Amazon Linux AMI update for gcc

Published: 2024-08-06

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2021-42574
CWE-ID	CWE-20
Exploitation vector	Local
Public exploit	Public exploit code for vulnerability #1 is available.
Vulnerable software	Amazon Linux AMI Operating systems & Components / Operating system gcc Operating systems & Components / Operating system package or component
Vendor	Amazon Web Services

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Input validation error

EUVDB-ID: #VU57848

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2021-42574

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows an attacker to bypass certain security checks.

The vulnerability exists in the Bidirectional Algorithm in the Unicode Specification. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters.

An attacker can leverage this behavior to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers.

Mitigation

Update the affected packages:

aarch64:
    libstdc++-static-11.3.1-4.amzn2023.0.2.aarch64
    libgfortran-debuginfo-11.3.1-4.amzn2023.0.2.aarch64
    libgcc-debuginfo-11.3.1-4.amzn2023.0.2.aarch64
    libgccjit-11.3.1-4.amzn2023.0.2.aarch64
    gcc-plugin-devel-debuginfo-11.3.1-4.amzn2023.0.2.aarch64
    gcc-gfortran-11.3.1-4.amzn2023.0.2.aarch64
    libitm-static-11.3.1-4.amzn2023.0.2.aarch64
    libasan-11.3.1-4.amzn2023.0.2.aarch64
    libasan-debuginfo-11.3.1-4.amzn2023.0.2.aarch64
    libtsan-11.3.1-4.amzn2023.0.2.aarch64
    libgcc-11.3.1-4.amzn2023.0.2.aarch64
    libitm-11.3.1-4.amzn2023.0.2.aarch64
    cpp-11.3.1-4.amzn2023.0.2.aarch64
    libatomic-debuginfo-11.3.1-4.amzn2023.0.2.aarch64
    libgfortran-11.3.1-4.amzn2023.0.2.aarch64
    libgomp-debuginfo-11.3.1-4.amzn2023.0.2.aarch64
    libstdc++-11.3.1-4.amzn2023.0.2.aarch64
    gcc-gdb-plugin-debuginfo-11.3.1-4.amzn2023.0.2.aarch64
    libtsan-static-11.3.1-4.amzn2023.0.2.aarch64
    liblsan-debuginfo-11.3.1-4.amzn2023.0.2.aarch64
    gcc-debugsource-11.3.1-4.amzn2023.0.2.aarch64
    gcc-c++-debuginfo-11.3.1-4.amzn2023.0.2.aarch64
    gcc-gfortran-debuginfo-11.3.1-4.amzn2023.0.2.aarch64
    libubsan-debuginfo-11.3.1-4.amzn2023.0.2.aarch64
    gcc-gdb-plugin-11.3.1-4.amzn2023.0.2.aarch64
    liblsan-static-11.3.1-4.amzn2023.0.2.aarch64
    liblsan-11.3.1-4.amzn2023.0.2.aarch64
    libstdc++-devel-11.3.1-4.amzn2023.0.2.aarch64
    libatomic-static-11.3.1-4.amzn2023.0.2.aarch64
    gcc-11.3.1-4.amzn2023.0.2.aarch64
    libgccjit-devel-11.3.1-4.amzn2023.0.2.aarch64
    libasan-static-11.3.1-4.amzn2023.0.2.aarch64
    libatomic-11.3.1-4.amzn2023.0.2.aarch64
    libitm-devel-11.3.1-4.amzn2023.0.2.aarch64
    libgccjit-debuginfo-11.3.1-4.amzn2023.0.2.aarch64
    gcc-c++-11.3.1-4.amzn2023.0.2.aarch64
    libgomp-11.3.1-4.amzn2023.0.2.aarch64
    cpp-debuginfo-11.3.1-4.amzn2023.0.2.aarch64
    libitm-debuginfo-11.3.1-4.amzn2023.0.2.aarch64
    libstdc++-debuginfo-11.3.1-4.amzn2023.0.2.aarch64
    libubsan-11.3.1-4.amzn2023.0.2.aarch64
    gcc-debuginfo-11.3.1-4.amzn2023.0.2.aarch64
    gcc-plugin-devel-11.3.1-4.amzn2023.0.2.aarch64
    libubsan-static-11.3.1-4.amzn2023.0.2.aarch64
    libtsan-debuginfo-11.3.1-4.amzn2023.0.2.aarch64
    libgfortran-static-11.3.1-4.amzn2023.0.2.aarch64
    libstdc++-docs-11.3.1-4.amzn2023.0.2.aarch64

src:
    gcc-11.3.1-4.amzn2023.0.2.src

x86_64:
    gcc-debuginfo-11.3.1-4.amzn2023.0.2.x86_64
    libasan-static-11.3.1-4.amzn2023.0.2.x86_64
    gcc-gdb-plugin-debuginfo-11.3.1-4.amzn2023.0.2.x86_64
    libtsan-static-11.3.1-4.amzn2023.0.2.x86_64
    libgccjit-devel-11.3.1-4.amzn2023.0.2.x86_64
    libgfortran-debuginfo-11.3.1-4.amzn2023.0.2.x86_64
    liblsan-static-11.3.1-4.amzn2023.0.2.x86_64
    libstdc++-static-11.3.1-4.amzn2023.0.2.x86_64
    liblsan-debuginfo-11.3.1-4.amzn2023.0.2.x86_64
    libasan-debuginfo-11.3.1-4.amzn2023.0.2.x86_64
    gcc-c++-11.3.1-4.amzn2023.0.2.x86_64
    libstdc++-11.3.1-4.amzn2023.0.2.x86_64
    cpp-debuginfo-11.3.1-4.amzn2023.0.2.x86_64
    libubsan-static-11.3.1-4.amzn2023.0.2.x86_64
    libasan-11.3.1-4.amzn2023.0.2.x86_64
    gcc-offload-nvptx-11.3.1-4.amzn2023.0.2.x86_64
    gcc-11.3.1-4.amzn2023.0.2.x86_64
    libgomp-debuginfo-11.3.1-4.amzn2023.0.2.x86_64
    gcc-gfortran-11.3.1-4.amzn2023.0.2.x86_64
    gcc-plugin-devel-11.3.1-4.amzn2023.0.2.x86_64
    libtsan-debuginfo-11.3.1-4.amzn2023.0.2.x86_64
    libubsan-debuginfo-11.3.1-4.amzn2023.0.2.x86_64
    libgfortran-static-11.3.1-4.amzn2023.0.2.x86_64
    libgccjit-11.3.1-4.amzn2023.0.2.x86_64
    libstdc++-debuginfo-11.3.1-4.amzn2023.0.2.x86_64
    libstdc++-devel-11.3.1-4.amzn2023.0.2.x86_64
    gcc-gfortran-debuginfo-11.3.1-4.amzn2023.0.2.x86_64
    libgccjit-debuginfo-11.3.1-4.amzn2023.0.2.x86_64
    libtsan-11.3.1-4.amzn2023.0.2.x86_64
    cpp-11.3.1-4.amzn2023.0.2.x86_64
    libitm-debuginfo-11.3.1-4.amzn2023.0.2.x86_64
    gcc-c++-debuginfo-11.3.1-4.amzn2023.0.2.x86_64
    libgfortran-11.3.1-4.amzn2023.0.2.x86_64
    gcc-offload-nvptx-debuginfo-11.3.1-4.amzn2023.0.2.x86_64
    gcc-debugsource-11.3.1-4.amzn2023.0.2.x86_64
    libstdc++-docs-11.3.1-4.amzn2023.0.2.x86_64
    libquadmath-static-11.3.1-4.amzn2023.0.2.x86_64
    libquadmath-debuginfo-11.3.1-4.amzn2023.0.2.x86_64
    gcc-plugin-devel-debuginfo-11.3.1-4.amzn2023.0.2.x86_64
    libgomp-11.3.1-4.amzn2023.0.2.x86_64
    liblsan-11.3.1-4.amzn2023.0.2.x86_64
    libubsan-11.3.1-4.amzn2023.0.2.x86_64
    libgcc-debuginfo-11.3.1-4.amzn2023.0.2.x86_64
    libquadmath-11.3.1-4.amzn2023.0.2.x86_64
    gcc-gdb-plugin-11.3.1-4.amzn2023.0.2.x86_64
    libitm-static-11.3.1-4.amzn2023.0.2.x86_64
    libgcc-11.3.1-4.amzn2023.0.2.x86_64
    libitm-11.3.1-4.amzn2023.0.2.x86_64
    libatomic-static-11.3.1-4.amzn2023.0.2.x86_64
    libgomp-offload-nvptx-debuginfo-11.3.1-4.amzn2023.0.2.x86_64
    libatomic-debuginfo-11.3.1-4.amzn2023.0.2.x86_64
    libgomp-offload-nvptx-11.3.1-4.amzn2023.0.2.x86_64
    libatomic-11.3.1-4.amzn2023.0.2.x86_64
    libquadmath-devel-11.3.1-4.amzn2023.0.2.x86_64
    libitm-devel-11.3.1-4.amzn2023.0.2.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

gcc: before 11.3.1-4

CPE2.3

External links

https://alas.aws.amazon.com/AL2023/ALAS-2023-030.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.