Source: squirrel3 X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerability was published for squirrel3. CVE-2021-41556[0]: | sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an | out-of-bounds read (in the core interpreter) that can lead to Code | Execution. If a victim executes an attacker-controlled squirrel | script, it is possible for the attacker to break out of the squirrel | script sandbox even if all dangerous functionality such as File System | functions has been disabled. An attacker might abuse this bug to | target (for example) Cloud services that allow customization via | SquirrelScripts, or distribute malware through video games that embed | a Squirrel Engine. https://github.com/albertodemichelis/squirrel/commit/23a0620658714b996d20da3d4dd1a0dcf9b0bd98 https://blog.sonarsource.com/squirrel-vm-sandbox-escape/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-41556 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41556 Please adjust the affected versions in the BTS as needed.
