Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 523
Alerts This Week
Warning Icon 1 523

openSUSE 2023:4591-1 Important: Multiple Squashfs Buffer Overflows

opensuse
Calendar Grey November 27, 2023
Scroller Opensuse
A significant patch release for squashfs, tackling several buffer overflow vulnerabilities through essential fixes.
This update for squashfs fixes the following issues: CVE-2015-4645,CVE-2015-4646: Multiple buffer overflows fixed in squashfs- tools (bsc#935380)

Description

This update for squashfs fixes the following issues:

* CVE-2015-4645,CVE-2015-4646: Multiple buffer overflows fixed in squashfs-

tools (bsc#935380)

* CVE-2021-40153: Fixed an issue where an attacker might have been able to

write a file outside of destination (bsc#1189936)

* CVE-2021-41072: Fixed an issue where an attacker might have been able to

write a file outside the destination directory via a symlink (bsc#1190531).

update to 4.6.1:

* Race condition which can cause corruption of the "fragment table" fixed.

This is a regression introduced in August 2022, and it has been seen when

tailend packing is used (-tailends option).

* Fix build failure when the tools are being built without extended attribute

(XATTRs) support.

* Fix XATTR error message when an unrecognised prefix is found

* Fix incorrect free of pointer when an unrecognised XATTR prefix is found.

* Major improvements in extended attribute handling, pseudo file handling, and

...

Read the Full Advisory

Patch

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like

YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

* openSUSE Leap 15.4

zypper in -t patch openSUSE-SLE-15.4-2023-4591=1

* openSUSE Leap 15.5

zypper in -t patch openSUSE-SLE-15.5-2023-4591=1

* SUSE Linux Enterprise Micro for Rancher 5.3

zypper in -t patch SUSE-SLE-Micro-5.3-2023-4591=1

* SUSE Linux Enterprise Micro 5.3

zypper in -t patch SUSE-SLE-Micro-5.3-2023-4591=1

* SUSE Linux Enterprise Micro for Rancher 5.4

zypper in -t patch SUSE-SLE-Micro-5.4-2023-4591=1

* SUSE Linux Enterprise Micro 5.4

zypper in -t patch SUSE-SLE-Micro-5.4-2023-4591=1

* SUSE Linux Enterprise Micro 5.5

zypper in -t patch SUSE-SLE-Micro-5.5-2023-4591=1

* Basesystem Module 15-SP4

zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2023-4591=1

* Basesystem Module 15-SP5

zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2023-4591=1

* SUSE Linux Enterprise High Performance Computing...

Read the Full Advisory

Package List

* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)

* squashfs-debuginfo-4.6.1-150300.3.3.1

* squashfs-debugsource-4.6.1-150300.3.3.1

* squashfs-4.6.1-150300.3.3.1

* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)

* squashfs-debuginfo-4.6.1-150300.3.3.1

* squashfs-debugsource-4.6.1-150300.3.3.1

* squashfs-4.6.1-150300.3.3.1

* SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64)

* squashfs-debuginfo-4.6.1-150300.3.3.1

* squashfs-debugsource-4.6.1-150300.3.3.1

* squashfs-4.6.1-150300.3.3.1

* SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64)

* squashfs-debuginfo-4.6.1-150300.3.3.1

* squashfs-debugsource-4.6.1-150300.3.3.1

* squashfs-4.6.1-150300.3.3.1

* SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64)

* squashfs-debuginfo-4.6.1-150300.3.3.1

* squashfs-debugsource-4.6.1-150300.3.3.1

* squashfs-4.6.1-150300.3.3.1

* SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64)

* squashfs-debuginfo-4.6.1-150300.3.3.1

* squashfs-debugsource-4.6.1-150300.3.3.1

*...

Read the Full Advisory

References

* bsc#1189936

* bsc#1190531

* bsc#935380

## References:

* https://www.suse.com/security/cve/CVE-2015-4645.html

* https://www.suse.com/security/cve/CVE-2015-4646.html

* https://www.suse.com/security/cve/CVE-2021-40153.html

* https://www.suse.com/security/cve/CVE-2021-41072.html

* https://bugzilla.suse.com/show_bug.cgi?id=1189936

* https://bugzilla.suse.com/show_bug.cgi?id=1190531

* https://bugzilla.suse.com/show_bug.cgi?id=935380

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: SUSE-SU-2023:4591-1
Rating: important

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.