CVE-2021-41072

NameCVE-2021-41072
Descriptionsquashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2789-1, DSA-4987-1
Debian Bugs994262

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
squashfs-tools (PTS)bullseye (security), bullseye1:4.4-2+deb11u2fixed
bookworm1:4.5.1-1fixed
sid, trixie1:4.6.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
squashfs-toolssourcestretch1:4.3-3+deb9u3DLA-2789-1
squashfs-toolssourcebuster1:4.3-12+deb10u2DSA-4987-1
squashfs-toolssourcebullseye1:4.4-2+deb11u2DSA-4987-1
squashfs-toolssource(unstable)1:4.5-3994262

Notes

Prerequisites:
https://github.com/plougher/squashfs-tools/commit/80b8441a37fcf8bf07dacf24d9d6c6459a0f6e36
https://github.com/plougher/squashfs-tools/commit/1993a4e7aeda04962bf26e84c15fba8b58837e10
https://github.com/plougher/squashfs-tools/commit/9938154174756ee48a94ea0b076397a2944b028d
Fixed by: https://github.com/plougher/squashfs-tools/commit/e0485802ec72996c20026da320650d8362f555bd
Followup fix: https://github.com/plougher/squashfs-tools/commit/19fcc9365dcdb2c22d232d42d11012940df64b7c
https://github.com/plougher/squashfs-tools/issues/72#issuecomment-913833405
Search for package or bug name: Reporting problems