Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 427356 (CVE-2012-4024, CVE-2012-4025)

Summary: <sys-fs/squashfs-tools-4.3: Multiple buffer overflows in unsquashfs (CVE-2012-{4024,4025})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: livecd
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: http://bugs.debian.org/683371
https://bugzilla.redhat.com/show_bug.cgi?id=847270
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 542226    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2012-07-20 16:31:09 UTC 
CVE-2012-4025 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4025):
  Integer overflow in the queue_init function in unsquashfs.c in unsquashfs in
  Squashfs 4.2 and earlier allows remote attackers to execute arbitrary code
  via a crafted block_log field in the superblock of a .sqsh file, leading to
  a heap-based buffer overflow.

CVE-2012-4024 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4024):
  Stack-based buffer overflow in the get_component function in unsquashfs.c in
  unsquashfs in Squashfs 4.2 and earlier allows remote attackers to execute
  arbitrary code via a crafted list file (aka a crafted file for the -ef
  option).  NOTE: probably in most cases, the list file is a trusted file
  constructed by the program's user; however, there are some realistic
  situations in which a list file would be obtained from an untrusted remote
  source.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2012-08-20 12:32:39 UTC 
I don't know how glsamaker does its job, but there is definitely no progress yet.
Comment 2 Chí-Thanh Christopher Nguyễn gentoo-dev 2012-12-15 21:01:09 UTC 
Upstream git contains fixes now:
http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=squashfs/squashfs;a=commit;h=19c38fba0be1ce949ab44310d7f49887576cc123
http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=squashfs/squashfs;a=commit;h=8515b3d420f502c5c0236b86e2d6d7e3b23c190e

The commit messages lack any attribution to the original reporter of the vulnerabilities though.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2012-12-17 12:39:27 UTC 
I have put a snapshot in the tree but I since it has a lot more changes than just the ones we want, maybe it's not ready to go stable quite yet.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2015-03-06 06:53:03 UTC 
4.3 is in the tree since June 2014 and is being marked stable in bug #542226.
Comment 5 SpanKY gentoo-dev 2016-06-17 15:06:26 UTC 
afaict, this is fixed in the 4.3 release which is already stable
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-29 23:22:51 UTC 
New GLSA created.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2016-12-13 06:55:47 UTC 
This issue was resolved and addressed in
 GLSA 201612-40 at https://security.gentoo.org/glsa/201612-40
by GLSA coordinator Aaron Bauman (b-man).