Your message dated Thu, 25 Jun 2026 20:32:06 +0000
with message-id <[email protected]>
and subject line Bug#1016212: fixed in squirrel3 3.1-8.2+deb13u1
has caused the Debian Bug report #1016212,
regarding squirrel3: CVE-2021-41556
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1016212: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016212
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: squirrel3
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for squirrel3.
CVE-2021-41556[0]:
| sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an
| out-of-bounds read (in the core interpreter) that can lead to Code
| Execution. If a victim executes an attacker-controlled squirrel
| script, it is possible for the attacker to break out of the squirrel
| script sandbox even if all dangerous functionality such as File System
| functions has been disabled. An attacker might abuse this bug to
| target (for example) Cloud services that allow customization via
| SquirrelScripts, or distribute malware through video games that embed
| a Squirrel Engine.
https://github.com/albertodemichelis/squirrel/commit/23a0620658714b996d20da3d4dd1a0dcf9b0bd98
https://blog.sonarsource.com/squirrel-vm-sandbox-escape/
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-41556
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41556
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: squirrel3
Source-Version: 3.1-8.2+deb13u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
squirrel3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated squirrel3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 18 Jun 2026 23:28:11 +0300
Source: squirrel3
Architecture: source
Version: 3.1-8.2+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Fabian Wolff <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1016212
Changes:
squirrel3 (3.1-8.2+deb13u1) trixie; urgency=medium
.
* Non-maintainer upload.
* CVE-2021-41556: Sandbox Escape (Closes: #1016212)
Checksums-Sha1:
769e793d00907c8f68b4021b7da4cc2feebaaeab 2104 squirrel3_3.1-8.2+deb13u1.dsc
16d4636348dd50c9ee3c859a113553157da97a84 175612 squirrel3_3.1.orig.tar.gz
c1f9bf4b21e2285f00f15eebb2d2de90226dce26 7840
squirrel3_3.1-8.2+deb13u1.debian.tar.xz
Checksums-Sha256:
43f12574b7e5d5ac6c587d19ffe3d7444e96078377e35c3d4d260b874ebf0ab8 2104
squirrel3_3.1-8.2+deb13u1.dsc
51942b8638a97b673e34ecf3ca50304996fa99bbdbfa7fe93d9744e6769b2f95 175612
squirrel3_3.1.orig.tar.gz
b10cb376268a6d3c6339d7a72aa5905aa799b7bebf33c59bebc07a025f63aca9 7840
squirrel3_3.1-8.2+deb13u1.debian.tar.xz
Files:
88a7903afff720bdcd9a3546e0d592af 2104 interpreters optional
squirrel3_3.1-8.2+deb13u1.dsc
2f8350d4d1c524a89b360ee3f8f8066b 175612 interpreters optional
squirrel3_3.1.orig.tar.gz
c14a1f847f48ccaa1235e75c3ff91ef5 7840 interpreters optional
squirrel3_3.1-8.2+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmo0ViIACgkQiNJCh6LY
mLFtgRAAl5Lb3Hhaq9f9bG8o+ft/W57L4WUTTwEbcKo104SccPO7g4c7THE4wXW1
/qFbYRjIBZPSj5YJN9NWo+FU4/sClE2uJ0/QqIMtYacz/YJFzDIpU81wJ9IeT/Zj
6M+pAStAUC3bZqBXF5UwV0UKSyO2mDFzMMu/nfqef5OZndUnh+i0IjZBm9RabUYN
i6ZsrzQfHMczw02bWvu7l9djfax6CHd5d8EY8QczI0MISf3zmfvtpS3wPzpq25fZ
sHn0ayaFbM1E9rn9SNGVKSFRmrFhweWMMmZ0Wfw8sGVGkPAuNV8W9I0FbPQk1TUF
RSxBosP4rtuNJVBF+LbNhdXneB8aRLsTw3h7wrrk5pU0cdREr5KDmJJ0augBUUNU
EiPEwTJw8Ap5tum9+l/ow5jAkV/PV+hHLGzgxnUFQGEpS8wr2miR6Ph43XZ9Sdwy
nDUpCUFyX8+6FDTrwi9BKILg8dBMreIDeuRR/ccsfnS0BDob8WvIk6bHFq7ysLgw
l+7V5Dqy/EudpUal6GV7e+isVLLTNjLc7nrs1orlznZolUF1hj2Jl0VCoHMtBtxq
YsP8+/pINyyGmGJX/WZmkue+mj52lrqSmvs1E7vDODuj66iD+KGlsw2AS1Wk5sMC
xq3KTgt9vIs/Emvww7NR+TaTiB9VxxmijK1Ehm+cCRBuMfazA/I=
=mepC
-----END PGP SIGNATURE-----
pgpwuCWCm9D2w.pgp
Description: PGP signature
--- End Message ---
