Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Mageia 8 MGASA-2023-0150 Critical: Squirrel Code Execution Risk

mageia
Calendar Grey April 24, 2023
Dist Mageia Esm H88
MGASA-2023-0151 tackles a significant buffer overflow vulnerability in Acorn that could enable arbitrary code execution.
sqclass.cpp in Squirrel 3.1 allows an out-of-bounds read (in the core interpreter) that can lead to Code Execution

Summary

sqclass.cpp in Squirrel 3.1 allows an out-of-bounds read (in the core interpreter) that can lead to Code Execution. If a victim executes an attacker-controlled squirrel script, it is possible for the attacker to break out of the squirrel script sandbox even if all dangerous functionality such as File System functions has been disabled. An attacker might abuse this bug to target (for example) Cloud services that allow customization via SquirrelScripts, or distribute malware through video games that embed a Squirrel Engine. (CVE-2021-41556)
supertux has been rebuilt as it uses a bundled copy of squirrel.

References

- https://bugs.mageia.org/show_bug.cgi?id=30742

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/M3FQILX7UUEERSDPMZP3MKGTMY2E7ESU/

-

- https://www.cve.org/CVERecord?id=CVE-2021-41556

Resolution

SRPMS

- 8/core/squirrel-3.2-1.mga8

- 8/core/supertux-0.6.2-4.2.mga8

Severity
critical
Lowest
Low
Medium
High
Critical

Publication date: 24 Apr 2023
URL: https://advisories.mageia.org/MGASA-2023-0150.html
Type: security
CVE: CVE-2021-41556

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here