Amazon Linux 2023 Security Advisory: ALAS2023-2025-1207
Advisory Released Date: 2025-09-29
Advisory Updated Date: 2025-09-29
A heap overflow vulnerability exists in libvpx - Encoding a frame that has larger dimensions than the originally configured size with VP9 may result in a heap overflow in libvpx.
We recommend upgrading to version 1.13.1 or above (CVE-2023-6349)
There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h, or stride_align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. We recommend upgrading to version 1.14.1 or beyond (CVE-2024-5197)
Affected Packages:
libvpx
Issue Correction:
Run dnf update libvpx --releasever 2023.9.20250929 or dnf update --advisory ALAS2023-2025-1207 --releasever 2023.9.20250929 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
aarch64:
libvpx-debuginfo-1.11.0-1.amzn2023.0.5.aarch64
libvpx-utils-debuginfo-1.11.0-1.amzn2023.0.5.aarch64
libvpx-1.11.0-1.amzn2023.0.5.aarch64
libvpx-utils-1.11.0-1.amzn2023.0.5.aarch64
libvpx-devel-1.11.0-1.amzn2023.0.5.aarch64
libvpx-debugsource-1.11.0-1.amzn2023.0.5.aarch64
src:
libvpx-1.11.0-1.amzn2023.0.5.src
x86_64:
libvpx-debuginfo-1.11.0-1.amzn2023.0.5.x86_64
libvpx-utils-debuginfo-1.11.0-1.amzn2023.0.5.x86_64
libvpx-1.11.0-1.amzn2023.0.5.x86_64
libvpx-utils-1.11.0-1.amzn2023.0.5.x86_64
libvpx-devel-1.11.0-1.amzn2023.0.5.x86_64
libvpx-debugsource-1.11.0-1.amzn2023.0.5.x86_64