Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 427356 (CVE-2012-4024, CVE-2012-4025) - <sys-fs/squashfs-tools-4.3: Multiple buffer overflows in unsquashfs (CVE-2012-{4024,4025})
Summary: <sys-fs/squashfs-tools-4.3: Multiple buffer overflows in unsquashfs (CVE-2012...
Status: RESOLVED FIXED
Alias: CVE-2012-4024, CVE-2012-4025
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa cve]
Keywords:
Depends on: 542226
Blocks:
  Show dependency tree
 
Reported: 2012-07-20 16:31 UTC by GLSAMaker/CVETool Bot
Modified: 2016-12-13 06:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2012-07-20 16:31:09 UTC
CVE-2012-4025 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4025):
  Integer overflow in the queue_init function in unsquashfs.c in unsquashfs in
  Squashfs 4.2 and earlier allows remote attackers to execute arbitrary code
  via a crafted block_log field in the superblock of a .sqsh file, leading to
  a heap-based buffer overflow.

CVE-2012-4024 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4024):
  Stack-based buffer overflow in the get_component function in unsquashfs.c in
  unsquashfs in Squashfs 4.2 and earlier allows remote attackers to execute
  arbitrary code via a crafted list file (aka a crafted file for the -ef
  option).  NOTE: probably in most cases, the list file is a trusted file
  constructed by the program's user; however, there are some realistic
  situations in which a list file would be obtained from an untrusted remote
  source.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2012-08-20 12:32:39 UTC
I don't know how glsamaker does its job, but there is definitely no progress yet.
Comment 2 Chí-Thanh Christopher Nguyễn gentoo-dev 2012-12-15 21:01:09 UTC
Upstream git contains fixes now:
http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=squashfs/squashfs;a=commit;h=19c38fba0be1ce949ab44310d7f49887576cc123
http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=squashfs/squashfs;a=commit;h=8515b3d420f502c5c0236b86e2d6d7e3b23c190e

The commit messages lack any attribution to the original reporter of the vulnerabilities though.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2012-12-17 12:39:27 UTC
I have put a snapshot in the tree but I since it has a lot more changes than just the ones we want, maybe it's not ready to go stable quite yet.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2015-03-06 06:53:03 UTC
4.3 is in the tree since June 2014 and is being marked stable in bug #542226.
Comment 5 SpanKY gentoo-dev 2016-06-17 15:06:26 UTC
afaict, this is fixed in the 4.3 release which is already stable
Comment 6 Thomas Deutschmann gentoo-dev Security 2016-11-29 23:22:51 UTC
New GLSA created.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2016-12-13 06:55:47 UTC
This issue was resolved and addressed in
 GLSA 201612-40 at https://security.gentoo.org/glsa/201612-40
by GLSA coordinator Aaron Bauman (b-man).