Mageia 2023-0150: squirrel/supertux security update | LinuxSecurity...

What Are You Looking For?

Popular Tags

Sign Up
MGASA-2023-0150 - Updated squirrel/supertux packages fix security vulnerability

Publication date: 24 Apr 2023
URL: https://advisories.mageia.org/MGASA-2023-0150.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2021-41556

sqclass.cpp in Squirrel 3.1 allows an out-of-bounds read (in the core
interpreter) that can lead to Code Execution. If a victim executes an
attacker-controlled squirrel script, it is possible for the attacker to
break out of the squirrel script sandbox even if all dangerous
functionality such as File System functions has been disabled. An
attacker might abuse this bug to target (for example) Cloud services
that allow customization via SquirrelScripts, or distribute malware
through video games that embed a Squirrel Engine. (CVE-2021-41556)

supertux has been rebuilt as it uses a bundled copy of squirrel.

References:
- https://bugs.mageia.org/show_bug.cgi?id=30742
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/M3FQILX7UUEERSDPMZP3MKGTMY2E7ESU/
- https://lists.opensuse.org/archives/list/[email protected]/thread/5NX6SWKNR7LNUXJROLGLSVD3ZEB4LUQY/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41556

SRPMS:
- 8/core/squirrel-3.2-1.mga8
- 8/core/supertux-0.6.2-4.2.mga8

Mageia 2023-0150: squirrel/supertux security update

sqclass.cpp in Squirrel 3.1 allows an out-of-bounds read (in the core interpreter) that can lead to Code Execution

Summary

sqclass.cpp in Squirrel 3.1 allows an out-of-bounds read (in the core interpreter) that can lead to Code Execution. If a victim executes an attacker-controlled squirrel script, it is possible for the attacker to break out of the squirrel script sandbox even if all dangerous functionality such as File System functions has been disabled. An attacker might abuse this bug to target (for example) Cloud services that allow customization via SquirrelScripts, or distribute malware through video games that embed a Squirrel Engine. (CVE-2021-41556)
supertux has been rebuilt as it uses a bundled copy of squirrel.

References

- https://bugs.mageia.org/show_bug.cgi?id=30742

- https://lists.fedoraproject.org/archives/list/[email protected]/thread/M3FQILX7UUEERSDPMZP3MKGTMY2E7ESU/

- https://lists.opensuse.org/archives/list/[email protected]/thread/5NX6SWKNR7LNUXJROLGLSVD3ZEB4LUQY/

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41556

Resolution

MGASA-2023-0150 - Updated squirrel/supertux packages fix security vulnerability

SRPMS

- 8/core/squirrel-3.2-1.mga8

- 8/core/supertux-0.6.2-4.2.mga8

Severity
Publication date: 24 Apr 2023
URL: https://advisories.mageia.org/MGASA-2023-0150.html
Type: security
CVE: CVE-2021-41556

Related News

New Open-Source Tool Scans Public AWS S3 Buckets for Secrets

Windows Subsystem for Linux 0.65.1 is now live for all Insiders

News

Advisories

HOWTOs

Features

Is Linux A More Secure Option Than Windows For Businesses?
How Secure Is Linux?
How To Secure Against WordPress Vulnerabilities with Predictive Analysis Detection & Automated Remediation
Best Practices for PHP Security
Why Cloud Linux Is Beneficial for E-Commerce Stores

About Us

Powered By

Footer Logo

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy. 

Learn More About Our Cookie Policy