MGASA-2022-0010 - Updated squashfs-tools packages fix security vulnerability

Publication date: 11 Jan 2022
URL: https://advisories.mageia.org/MGASA-2022-0010.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2021-40153,
     CVE-2021-41072

squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename
in the directory entry; this is then used by unsquashfs to create the new
file during the unsquash. The filename is not validated for traversal
outside of the destination directory, and thus allows writing to locations
outside of the destination. (CVE-2021-40153)
squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory
Traversal, a different vulnerability than CVE-2021-40153. A squashfs
filesystem that has been crafted to include a symbolic link and then
contents under the same filename in a filesystem can cause unsquashfs to
first create the symbolic link pointing outside the expected directory,
and then the subsequent write operation will cause the unsquashfs process
to write through the symbolic link elsewhere in the filesystem.
(CVE-2021-41072)

References:
- https://bugs.mageia.org/show_bug.cgi?id=29429
- https://ubuntu.com/security/notices/USN-5057-1
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/RAOZ4BKWAC4Y3U2K5MMW3S77HWWXHQDL/
- https://www.debian.org/security/2021/dsa-4967
- https://ubuntu.com/security/notices/USN-5078-1
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/RGPPMRX4FP3CLIZKZFB2DODGNHXHPYD6/
- https://www.debian.org/security/2021/dsa-4987
- https://ubuntu.com/security/notices/USN-5078-3
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40153
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41072

SRPMS:
- 8/core/squashfs-tools-4.5-1.git5ae723.1.mga8