Mageia 2022-0010: squashfs-tools security update
Summary
squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename
in the directory entry; this is then used by unsquashfs to create the new
file during the unsquash. The filename is not validated for traversal
outside of the destination directory, and thus allows writing to locations
outside of the destination. (CVE-2021-40153)
squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory
Traversal, a different vulnerability than CVE-2021-40153. A squashfs
filesystem that has been crafted to include a symbolic link and then
contents under the same filename in a filesystem can cause unsquashfs to
first create the symbolic link pointing outside the expected directory,
and then the subsequent write operation will cause the unsquashfs process
to write through the symbolic link elsewhere in the filesystem.
(CVE-2021-41072)
References
- https://bugs.mageia.org/show_bug.cgi?id=29429
- https://ubuntu.com/security/notices/USN-5057-1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RAOZ4BKWAC4Y3U2K5MMW3S77HWWXHQDL/
- https://www.debian.org/security/2021/dsa-4967
- https://ubuntu.com/security/notices/USN-5078-1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RGPPMRX4FP3CLIZKZFB2DODGNHXHPYD6/
- https://www.debian.org/security/2021/dsa-4987
- https://ubuntu.com/security/notices/USN-5078-3
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40153
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41072
Resolution
MGASA-2022-0010 - Updated squashfs-tools packages fix security vulnerability
SRPMS
- 8/core/squashfs-tools-4.5-1.git5ae723.1.mga8