Source: squashfs-tools Version: 1:4.5-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1:4.4-2+deb11u1 Control: found -1 1:4.4-2 Control: found -1 1:4.3-12+deb10u1 Control: found -1 1:4.3-12
Hi, The following vulnerability was published for squashfs-tools. CVE-2021-41072[0]: | squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows | Directory Traversal, a different vulnerability than CVE-2021-40153. A | squashfs filesystem that has been crafted to include a symbolic link | and then contents under the same filename in a filesystem can cause | unsquashfs to first create the symbolic link pointing outside the | expected directory, and then the subsequent write operation will cause | the unsquashfs process to write through the symbolic link elsewhere in | the filesystem. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-41072 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41072 [1] https://github.com/plougher/squashfs-tools/commit/e0485802ec72996c20026da320650d8362f555bd [2] https://github.com/plougher/squashfs-tools/commit/19fcc9365dcdb2c22d232d42d11012940df64b7c (Makefile fix) [3] https://github.com/plougher/squashfs-tools/issues/72#issuecomment-913833405 Regards, Salvatore