Your message dated Sat, 18 Sep 2021 12:23:34 +0000
with message-id <[email protected]>
and subject line Bug#994262: fixed in squashfs-tools 1:4.5-3
has caused the Debian Bug report #994262,
regarding squashfs-tools: CVE-2021-41072
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
994262: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994262
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: squashfs-tools
Version: 1:4.5-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1:4.4-2+deb11u1
Control: found -1 1:4.4-2
Control: found -1 1:4.3-12+deb10u1
Control: found -1 1:4.3-12
Hi,
The following vulnerability was published for squashfs-tools.
CVE-2021-41072[0]:
| squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows
| Directory Traversal, a different vulnerability than CVE-2021-40153. A
| squashfs filesystem that has been crafted to include a symbolic link
| and then contents under the same filename in a filesystem can cause
| unsquashfs to first create the symbolic link pointing outside the
| expected directory, and then the subsequent write operation will cause
| the unsquashfs process to write through the symbolic link elsewhere in
| the filesystem.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-41072
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41072
[1]
https://github.com/plougher/squashfs-tools/commit/e0485802ec72996c20026da320650d8362f555bd
[2]
https://github.com/plougher/squashfs-tools/commit/19fcc9365dcdb2c22d232d42d11012940df64b7c
(Makefile fix)
[3] https://github.com/plougher/squashfs-tools/issues/72#issuecomment-913833405
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: squashfs-tools
Source-Version: 1:4.5-3
Done: Laszlo Boszormenyi (GCS) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
squashfs-tools, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated squashfs-tools
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 18 Sep 2021 13:42:40 +0200
Source: squashfs-tools
Architecture: source
Version: 1:4.5-3
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 994262
Changes:
squashfs-tools (1:4.5-3) unstable; urgency=high
.
* Backport patch to fixes:
- use squashfs_closedir() to delete directory,
- dynamically allocate unsquashfs name,
- use linked list to store directory names.
* Fix CVE-2021-41072: additional unsquashfs write outside destination
directory exploit fix (closes: #994262).
Checksums-Sha1:
8892003c3dcdde19f202fd820715fb0367aaa007 1891 squashfs-tools_4.5-3.dsc
b6352dc50f8dbaf44e12bd998c39661a14a0b7c6 17016
squashfs-tools_4.5-3.debian.tar.xz
Checksums-Sha256:
392e45bd16aadafb89f37295e770837a15f36f78c0d052e35f3dfcb05afffabc 1891
squashfs-tools_4.5-3.dsc
18f4c2d35cea663f784efe717f4c9d88af13a82b19e28a79b230195d42f84729 17016
squashfs-tools_4.5-3.debian.tar.xz
Files:
781c80dd6fb4a49c911d9c6e3928ce84 1891 kernel optional squashfs-tools_4.5-3.dsc
f3a9e60caa2bd1f4fa371ad62d7beca4 17016 kernel optional
squashfs-tools_4.5-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmFF1RAACgkQ3OMQ54ZM
yL+ZCA/8DV6/1NnH2Y/vAUjSZWjCtiWjWZZiZY73wT7JuEugSAecKgTx9kqlDzHI
3vgbH7uKy8MFvN6kUaD0PK5DD5fN805J8fhnSpMEbpWeCX2Eoj5PEKEiQb+50+2T
lw2cbg9P9A6AQUSqq4a6eRS0+bx9yMYIvMcIORqdsmQilH00b9+rugkZGtNBeOdY
SvAZZ0SddVuS5TKQ4L6o+hGgZODT94zl/ggP8P8kv9IcN3816bPrttDXcn2KQsDI
d8XCh6PTdVgh5BOT8oQrV7TGB4M5qPSaoe1JaGrnOqguILQ7nrFYgxDxPZjkYN1Z
5saFQY1PLVM/imjC1694zCteSElWKjVtzwFnIuGeZTI4/zQpYmB9HSEZHFhqB8FX
qPCWYXhXDGJzJB967CpqJKA/9t4xXocg9HwnCjX9nnmQbrf4shcG95YSbsjNo7YF
hPPB++h8yL68RwLche5RT0FuDbYgZWldznCjoI7rLnlqUhG+ryS/F3/sg/kaTdc8
3uBQh6Tcz4WLnH+3PF+OfleZHZnXqeoV0cIxWlKs3RGLrJd48Kto/B+tmrMOKYCQ
glJKHESsDLO565NpsltYWYomR8WLkuOPKLPGczL0O51KfCcuG358i/1mbFiNrEIN
2RKrnBf235R/wWn62gJDEp9DHr970N2UPd1mrPVVsqvd3tVjmb8=
=bO9u
-----END PGP SIGNATURE-----
--- End Message ---
