843158 – (CVE-2021-41556, CVE-2022-30292) [Tracker] dev-lang/squirrel: multiple vulnerabilities

Bug 843158 (CVE-2021-41556, CVE-2022-30292) - [Tracker] dev-lang/squirrel: multiple vulnerabilities

Summary: [Tracker] dev-lang/squirrel: multiple vulnerabilities

Status:	CONFIRMED

Alias:	CVE-2021-41556, CVE-2022-30292

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:	843155 861806 843008 885757
Blocks:
	Show dependency tree

Reported:	2022-05-07 14:59 UTC by John Helmert III
Modified:	2022-12-13 10:40 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-05-07 14:59:59 UTC

Not really sure about impact, but this apparently affects several of our packages.

Comment 1 John Helmert III archtester

2022-07-29 05:25:22 UTC

CVE-2021-41556:

sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an out-of-bounds read (in the core interpreter) that can lead to Code Execution. If a victim executes an attacker-controlled squirrel script, it is possible for the attacker to break out of the squirrel script sandbox even if all dangerous functionality such as File System functions has been disabled. An attacker might abuse this bug to target (for example) Cloud services that allow customization via SquirrelScripts, or distribute malware through video games that embed a Squirrel Engine.

https://github.com/albertodemichelis/squirrel/commit/23a0620658714b996d20da3d4dd1a0dcf9b0bd98
https://blog.sonarsource.com/squirrel-vm-sandbox-escape/

Patch is in 3.2.