Alerts This Week
Warning Icon 1 677
Alerts This Week
Warning Icon 1 677

SUSE: 2024:2463-1 Important: Squashfs Buffer Overflows and Exploits

suse
Calendar Grey July 12, 2024
Dist Suse Esm H88
This bulletin provides information regarding patches for squashfs aimed at addressing various security flaws, including buffer overread issues and unauthorized write vulnerabilities.
* bsc#1189936 * bsc#1190531 * bsc#935380 Cross-References:

Summary

## This update for squashfs fixes the following issues: * CVE-2015-4645,CVE-2015-4646: Multiple buffer overflows fixed in squashfs- tools (bsc#935380) * CVE-2021-40153: Fixed an issue where an attacker might have been able to write a file outside of destination (bsc#1189936) * CVE-2021-41072: Fixed an issue where an attacker might have been able to write a file outside the destination directory via a symlink (bsc#1190531). update to 4.6.1: * Race condition which can cause corruption of the "fragment table" fixed. This is a regression introduced in August 2022, and it has been seen when tailend packing is used (-tailends option). * Fix build failure when the tools are being built without extended attribute (XATTRs) support. * Fix XATTR error message when an unrecognised prefix is found

Topics%20covered

Topics Covered

security advisory buffer overflow important attack vector SUSE Linux Enterprise squashfs file write exploit

References

* bsc#1189936

* bsc#1190531

* bsc#935380

Cross-

* CVE-2015-4645

* CVE-2015-4646

* CVE-2021-40153

* CVE-2021-41072

CVSS scores:

* CVE-2015-4645 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

* CVE-2015-4645 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

* CVE-2015-4646 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

* CVE-2021-40153 ( SUSE ): 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

* CVE-2021-40153 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

* CVE-2021-41072 ( SUSE ): 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

* CVE-2021-41072 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Affected Products:

* SUSE Linux Enterprise Micro 5.5

An update that solves four vulnerabilities can now be installed.

##

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: SUSE-SU-2024:2463-1
Rating: important

Topics%20covered

Topics Covered

security advisory buffer overflow important attack vector SUSE Linux Enterprise squashfs file write exploit

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here