CVE-2012-4025 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4025): Integer overflow in the queue_init function in unsquashfs.c in unsquashfs in Squashfs 4.2 and earlier allows remote attackers to execute arbitrary code via a crafted block_log field in the superblock of a .sqsh file, leading to a heap-based buffer overflow. CVE-2012-4024 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4024): Stack-based buffer overflow in the get_component function in unsquashfs.c in unsquashfs in Squashfs 4.2 and earlier allows remote attackers to execute arbitrary code via a crafted list file (aka a crafted file for the -ef option). NOTE: probably in most cases, the list file is a trusted file constructed by the program's user; however, there are some realistic situations in which a list file would be obtained from an untrusted remote source.
I don't know how glsamaker does its job, but there is definitely no progress yet.
Upstream git contains fixes now: http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=squashfs/squashfs;a=commit;h=19c38fba0be1ce949ab44310d7f49887576cc123 http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=squashfs/squashfs;a=commit;h=8515b3d420f502c5c0236b86e2d6d7e3b23c190e The commit messages lack any attribution to the original reporter of the vulnerabilities though.
I have put a snapshot in the tree but I since it has a lot more changes than just the ones we want, maybe it's not ready to go stable quite yet.
4.3 is in the tree since June 2014 and is being marked stable in bug #542226.
afaict, this is fixed in the 4.3 release which is already stable
New GLSA created.
This issue was resolved and addressed in GLSA 201612-40 at https://security.gentoo.org/glsa/201612-40 by GLSA coordinator Aaron Bauman (b-man).
