[Bug 1941790] Re: squashfs-tools 4.5 / "write outside directory" exploit fix back port?
Alex Murray
1941790 at bugs.launchpad.net
Mon Aug 30 00:40:26 UTC 2021
CVE-2021-40153 was assigned for this -
https://nvd.nist.gov/vuln/detail/CVE-2021-40153
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-40153
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to squashfs-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1941790
Title:
squashfs-tools 4.5 / "write outside directory" exploit fix back port?
Status in squashfs-tools package in Ubuntu:
New
Bug description:
The squashfs-tools 4.5 release addresses an issue where `unsquashfs`
can extract files outside of its target directory, given a malicious
input file.
This issue was reported back in 2019 at:
https://github.com/plougher/squashfs-tools/issues/72
The squashfs-tools release notes mention the fix:
https://github.com/plougher/squashfs-tools/blob/master/CHANGES
> 3.13 Unsquashfs "write outside directory" exploit fixed.
Is Ubuntu aware of this issue w.r.t. back porting to distro release
versions squashfs-tools?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/squashfs-tools/+bug/1941790/+subscriptions
More information about the foundations-bugs
mailing list