squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash. The filename is not validated for traversal outside of the destination directory, and thus allows writing to locations outside of the destination.
Please file a stablereq when ready. Patch is in 4.5.
GLSA request filed
The bug has been referenced in the following commit(s):
Author: GLSAMaker <email@example.com>
AuthorDate: 2023-05-30 02:54:28 +0000
Commit: John Helmert III <firstname.lastname@example.org>
CommitDate: 2023-05-30 02:56:35 +0000
[ GLSA 202305-29 ] squashfs-tools: Multiple Vulnerabilities
Signed-off-by: GLSAMaker <email@example.com>
Signed-off-by: John Helmert III <firstname.lastname@example.org>
glsa-202305-29.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 44 insertions(+)
GLSA released, all done!