811474 – sys-fs/squashfs-tools-4.5: Important bug found in release

Bug 811474 - sys-fs/squashfs-tools-4.5: Important bug found in release

Summary: sys-fs/squashfs-tools-4.5: Important bug found in release

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Michał Górny

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2021-09-03 07:16 UTC by Pacho Ramos
Modified:	2021-10-15 03:21 UTC (History)
CC List:	1 user (show)

See Also:	CVE-2021-41072
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Pacho Ramos gentoo-dev

2021-09-03 07:16:34 UTC

I read this is upstream README:
https://github.com/plougher/squashfs-tools/blob/master/README

2021-07-25 Important bug found in release.

A new point release will be forthcomming in the
next couple of days.  Sooner if no other release
bugs are reported.

I think the needed commit is:
https://github.com/plougher/squashfs-tools/commit/19b161c1cd3e31f7a396ea92dea4390ad43f27b9

It would be nice if the patch could be included in a revision... or maybe get a new snapshot (to also include https://github.com/plougher/squashfs-tools/commit/5f56f67f387805d2989c06d222502d293af3e406 ) 

Thanks a lot

Comment 1 Pacho Ramos gentoo-dev

2021-09-19 17:17:52 UTC

Fedora is packaging and snapshot from 6 days ago to also fix CVE-2021-41072
https://github.com/plougher/squashfs-tools/issues/72

Comment 2 Larry the Git Cow gentoo-dev

2021-10-15 03:20:35 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b99b21377e23907dcb9986ef1ebfdc30b931c235

commit b99b21377e23907dcb9986ef1ebfdc30b931c235
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-10-15 03:19:32 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-10-15 03:20:28 +0000

    sys-fs/squashfs-tools: add 4.5_p20210914
    
    Contains a fix for a CVE (CVE-2021-41072) but
    also a few regressions and follow up fixes.
    
    Upstream say there's a new version coming
    soon but best not to wait.
    
    Closes: https://bugs.gentoo.org/811474
    Bug: https://bugs.gentoo.org/811474
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-fs/squashfs-tools/Manifest                     |  1 +
 .../squashfs-tools-4.5_p20210914.ebuild            | 59 ++++++++++++++++++++++
 2 files changed, 60 insertions(+)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b99b21377e23907dcb9986ef1ebfdc30b931c235

commit b99b21377e23907dcb9986ef1ebfdc30b931c235
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-10-15 03:19:32 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-10-15 03:20:28 +0000

    sys-fs/squashfs-tools: add 4.5_p20210914
    
    Contains a fix for a CVE (CVE-2021-41072) but
    also a few regressions and follow up fixes.
    
    Upstream say there's a new version coming
    soon but best not to wait.
    
    Closes: https://bugs.gentoo.org/811474
    Bug: https://bugs.gentoo.org/811474
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-fs/squashfs-tools/Manifest                     |  1 +
 .../squashfs-tools-4.5_p20210914.ebuild            | 59 ++++++++++++++++++++++
 2 files changed, 60 insertions(+)