Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 813654 (CVE-2021-41072)

Summary: <sys-fs/squashfs-tools-4.5_p20210914: another directory traversal (CVE-2021-41072)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: mgorny, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/plougher/squashfs-tools/issues/72#issuecomment-913833405
See Also: https://bugs.gentoo.org/show_bug.cgi?id=811474
Whiteboard: B2 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 828028    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-09-18 14:43:42 UTC
CVE-2021-41072:

squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem.

Patch: https://github.com/plougher/squashfs-tools/commit/e0485802ec72996c20026da320650d8362f555bd
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-10-15 03:21:33 UTC
See https://bugs.gentoo.org/811474#c2 (meant to tag this bug and somehow didn't).
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-12-03 08:42:43 UTC
cleanup done
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-29 23:43:09 UTC
Arbitrary file writes are arbitrary code execution. Upgrading severity for both.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-29 23:43:15 UTC
GLSA request filed
Comment 5 Larry the Git Cow gentoo-dev 2023-05-30 02:56:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=7c5aee9146a9230980d95e7d2037c660f20dd275

commit 7c5aee9146a9230980d95e7d2037c660f20dd275
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-30 02:54:28 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-30 02:56:35 +0000

    [ GLSA 202305-29 ] squashfs-tools: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/810706
    Bug: https://bugs.gentoo.org/813654
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-29.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-30 03:00:07 UTC
GLSA released, all done!