squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem.
References
Link | Resource |
---|---|
https://github.com/plougher/squashfs-tools/commit/e0485802ec72996c20026da320650d8362f555bd | Patch Third Party Advisory |
https://github.com/plougher/squashfs-tools/issues/72#issuecomment-913833405 | Exploit Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2021/10/msg00017.html | Mailing List Third Party Advisory |
https://security.gentoo.org/glsa/202305-29 | |
https://www.debian.org/security/2021/dsa-4987 | Third Party Advisory |
https://github.com/plougher/squashfs-tools/commit/e0485802ec72996c20026da320650d8362f555bd | Patch Third Party Advisory |
https://github.com/plougher/squashfs-tools/issues/72#issuecomment-913833405 | Exploit Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2021/10/msg00017.html | Mailing List Third Party Advisory |
https://security.gentoo.org/glsa/202305-29 | |
https://www.debian.org/security/2021/dsa-4987 | Third Party Advisory |
Configurations
History
21 Nov 2024, 06:25
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/plougher/squashfs-tools/commit/e0485802ec72996c20026da320650d8362f555bd - Patch, Third Party Advisory | |
References | () https://github.com/plougher/squashfs-tools/issues/72#issuecomment-913833405 - Exploit, Third Party Advisory | |
References | () https://lists.debian.org/debian-lts-announce/2021/10/msg00017.html - Mailing List, Third Party Advisory | |
References | () https://security.gentoo.org/glsa/202305-29 - | |
References | () https://www.debian.org/security/2021/dsa-4987 - Third Party Advisory |
30 May 2023, 06:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2021-09-14 01:15
Updated : 2024-11-21 06:25
NVD link : CVE-2021-41072
Mitre link : CVE-2021-41072
CVE.ORG link : CVE-2021-41072
JSON object : View
Products Affected
squashfs-tools_project
- squashfs-tools
debian
- debian_linux