Debian Bug report logs -
#994262
squashfs-tools: CVE-2021-41072
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 14 Sep 2021 20:09:04 UTC
Severity: important
Tags: security, upstream
Found in versions squashfs-tools/1:4.3-12, squashfs-tools/1:4.5-2, squashfs-tools/1:4.4-2+deb11u1, squashfs-tools/1:4.4-2, squashfs-tools/1:4.3-12+deb10u1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#994262; Package src:squashfs-tools.
(Tue, 14 Sep 2021 20:09:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Tue, 14 Sep 2021 20:09:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: squashfs-tools
Version: 1:4.5-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 1:4.4-2+deb11u1
Control: found -1 1:4.4-2
Control: found -1 1:4.3-12+deb10u1
Control: found -1 1:4.3-12
Hi,
The following vulnerability was published for squashfs-tools.
CVE-2021-41072[0]:
| squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows
| Directory Traversal, a different vulnerability than CVE-2021-40153. A
| squashfs filesystem that has been crafted to include a symbolic link
| and then contents under the same filename in a filesystem can cause
| unsquashfs to first create the symbolic link pointing outside the
| expected directory, and then the subsequent write operation will cause
| the unsquashfs process to write through the symbolic link elsewhere in
| the filesystem.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-41072
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41072
[1] https://github.com/plougher/squashfs-tools/commit/e0485802ec72996c20026da320650d8362f555bd
[2] https://github.com/plougher/squashfs-tools/commit/19fcc9365dcdb2c22d232d42d11012940df64b7c (Makefile fix)
[3] https://github.com/plougher/squashfs-tools/issues/72#issuecomment-913833405
Regards,
Salvatore
Marked as found in versions squashfs-tools/1:4.4-2+deb11u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Tue, 14 Sep 2021 20:09:06 GMT) (full text, mbox, link).
Marked as found in versions squashfs-tools/1:4.4-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Tue, 14 Sep 2021 20:09:06 GMT) (full text, mbox, link).
Marked as found in versions squashfs-tools/1:4.3-12+deb10u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Tue, 14 Sep 2021 20:09:07 GMT) (full text, mbox, link).
Marked as found in versions squashfs-tools/1:4.3-12.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Tue, 14 Sep 2021 20:09:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Sep 15 16:21:17 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon