Your message dated Sat, 16 Oct 2021 13:53:06 +0000
with message-id <[email protected]>
and subject line Bug#994262: fixed in squashfs-tools 1:4.3-12+deb10u2
has caused the Debian Bug report #994262,
regarding squashfs-tools: CVE-2021-41072
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
994262: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994262
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: squashfs-tools
Version: 1:4.5-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1:4.4-2+deb11u1
Control: found -1 1:4.4-2
Control: found -1 1:4.3-12+deb10u1
Control: found -1 1:4.3-12
Hi,
The following vulnerability was published for squashfs-tools.
CVE-2021-41072[0]:
| squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows
| Directory Traversal, a different vulnerability than CVE-2021-40153. A
| squashfs filesystem that has been crafted to include a symbolic link
| and then contents under the same filename in a filesystem can cause
| unsquashfs to first create the symbolic link pointing outside the
| expected directory, and then the subsequent write operation will cause
| the unsquashfs process to write through the symbolic link elsewhere in
| the filesystem.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-41072
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41072
[1]
https://github.com/plougher/squashfs-tools/commit/e0485802ec72996c20026da320650d8362f555bd
[2]
https://github.com/plougher/squashfs-tools/commit/19fcc9365dcdb2c22d232d42d11012940df64b7c
(Makefile fix)
[3] https://github.com/plougher/squashfs-tools/issues/72#issuecomment-913833405
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: squashfs-tools
Source-Version: 1:4.3-12+deb10u2
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
squashfs-tools, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated squashfs-tools
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 13 Oct 2021 21:23:35 +0200
Source: squashfs-tools
Architecture: source
Version: 1:4.3-12+deb10u2
Distribution: buster-security
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 994262
Changes:
squashfs-tools (1:4.3-12+deb10u2) buster-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* unsquashfs: use squashfs_closedir() to delete directory
* unsquashfs: dynamically allocate name
* unsquashfs: use linked list to store directory names
* Unsquashfs: additional write outside destination directory exploit fix
(CVE-2021-41072) (Closes: #994262)
* Unsquashfs: Add makefile entry for unsquash-12.o
Checksums-Sha1:
0fb57861efebb6bbb175d1c1a837bb775ea5f0ab 2066 squashfs-tools_4.3-12+deb10u2.dsc
b0073dc17e7f623c5f94fc6eebb0185c28484ebe 31820
squashfs-tools_4.3-12+deb10u2.debian.tar.xz
Checksums-Sha256:
572499ea1b8a4c67eda36e791d3a20e72f014979232fdff71443de368abd0a42 2066
squashfs-tools_4.3-12+deb10u2.dsc
4b8f0c90987b54f5ae4d4ca8b7e2ad1ba68943b0f783714c10157dfead7cdbc3 31820
squashfs-tools_4.3-12+deb10u2.debian.tar.xz
Files:
ef7283b2a91d5d6a5855541566b7bd7a 2066 kernel optional
squashfs-tools_4.3-12+deb10u2.dsc
e399ce5394233dbdb91b6360b41a9c94 31820 kernel optional
squashfs-tools_4.3-12+deb10u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmFnNXpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EmXkP+wV/CUN6rN/d+3e1x1Jc0HksottR5PaR
GmI1E4Ah9KLVPeGSHXhfO0jyoJJEqe1yiS5cy5oqhthLggWDNa94hY4T4xZOqs6E
mZchiBuXi67QtC1xdccU07I2sRHwCVv9Dy9XFpPr07N/Zen5iD3TO0H9t5K8MLOm
qBLdKKHM2K1YWSsH5RqbLoY1TcCxlL/GKCIjwkOnaoeSDLR9WT6w7yt9F3KBd79a
eEjsNaZAgsRf2OTv9/KjQjp/DGuxlj0Z5xKYRhx2ZBuKQXRoXhLQbMXL1D8br4Mg
9wc+HJMMBjvd/PPZgfvIi/CdfOYONAK7BiIOpshDm3vo5VQUjftadQjZaWRhEO4S
klYDERrAP+BA25lnK6UJSN0Q1BCrUZxVfWu4uMwxD81YoFJ0/Dq/iZGPaPBeY02E
fEFANBtuwXwytupyNhX06T9LKvTejU3gAz24O95FN7N1dYB+ki30Uze+rJhDWWPn
0l4DTaPG2hduOWQ0s+l4eTy9u0V1QMMlsDEP58qKVL4hiVDo6B+cCz/8wuLekaZZ
GrMlRZp4om8i9H7keeYXWk2duJleXrgCBGK8Q/jjQkVpKnl1eK5TpowkdEg0AR4I
m9B54nY2R+47R+Bq8gCKOcGu7EEl/70BcRanA+c1TpWYAx/Ju6X4Uz0swWm2X0Hv
+CSXZoGfBJTu
=EB6H
-----END PGP SIGNATURE-----
--- End Message ---
