Debian Bug report logs -
#1016212
squirrel3: CVE-2021-41556
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Fabian Wolff <fabi.wolff@arcor.de>
:
Bug#1016212
; Package src:squirrel3
.
(Fri, 29 Jul 2022 14:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Fabian Wolff <fabi.wolff@arcor.de>
.
(Fri, 29 Jul 2022 14:39:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: squirrel3
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for squirrel3.
CVE-2021-41556[0]:
| sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an
| out-of-bounds read (in the core interpreter) that can lead to Code
| Execution. If a victim executes an attacker-controlled squirrel
| script, it is possible for the attacker to break out of the squirrel
| script sandbox even if all dangerous functionality such as File System
| functions has been disabled. An attacker might abuse this bug to
| target (for example) Cloud services that allow customization via
| SquirrelScripts, or distribute malware through video games that embed
| a Squirrel Engine.
https://github.com/albertodemichelis/squirrel/commit/23a0620658714b996d20da3d4dd1a0dcf9b0bd98
https://blog.sonarsource.com/squirrel-vm-sandbox-escape/
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-41556
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41556
Please adjust the affected versions in the BTS as needed.
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jul 30 13:17:02 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.