UbuntuUpdates.org

Package "squashfs-tools"

Name: squashfs-tools

Description:

Tool to create and append to squashfs filesystems
Latest version: 1:4.3-6ubuntu0.18.04.4
Release: bionic (18.04)
Level: security
Repository: main
Homepage: http://squashfs.sourceforge.net/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "squashfs-tools"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "squashfs-tools" in Bionic

Repository Area Version
base main 1:4.3-6
updates main 1:4.3-6ubuntu0.18.04.4

Changelog

Version: 1:4.3-6ubuntu0.18.04.4 2021-09-15 03:06:16 UTC

  squashfs-tools (1:4.3-6ubuntu0.18.04.4) bionic-security; urgency=medium

  * SECURITY UPDATE: Directory traversal via symlinks in unsquashfs
    - debian/patches/0014-CVE-2021-41072-1.patch: Use
      unsquashfs_closedir() when deleting directories in unsquash-N.c
    - debian/patches/0015-CVE-2021-41072-2.patch: Dynamically allocate
      structure names in unsquash-N.c
    - debian/patches/0016-CVE-2021-41072-3.patch: Store directory names in
      a linked list to allow sorting in unsquash-N.c
    - debian/patches/0017-CVE-2021-41072-4.patch: Sort directory entries in
      squashfs images and treat duplicate directory entries with the same
      name as invalid in unsquash-N.c
    - debian/patches/0018-CVE-2021-41072-5.patch: Fixup Makefile entry for
      unsquash-12.o
    - CVE-2021-41072

 -- Alex Murray <email address hidden> Tue, 14 Sep 2021 18:13:17 +0930
Source diff to previous version
CVE-2021-41072 squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesyst

Version: 1:4.3-6ubuntu0.18.04.3 2021-08-31 02:06:16 UTC

  squashfs-tools (1:4.3-6ubuntu0.18.04.3) bionic-security; urgency=medium

  * SECURITY UPDATE: Directory traversal via relative paths in unsquashfs
    (LP: #1941790)
    - debian/patches/0013-CVE-2021-40153.patch:
      Treat squashfs images which contain files with names containing
      constructs like ../ as corrupted in unsquash-N.c
    - CVE-2021-40153

 -- Alex Murray <email address hidden> Fri, 27 Aug 2021 15:50:47 +0930
1941790 squashfs-tools 4.5 / \
CVE-2021-40153 squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new


About   -   Send Feedback to @ubuntu_updates