UbuntuUpdates.org

Package "squashfs-tools"

Name: squashfs-tools

Description:

Tool to create and append to squashfs filesystems

Latest version: 1:4.4-1ubuntu0.3
Release: focal (20.04)
Level: security
Repository: main
Homepage: https://github.com/plougher/squashfs-tools

Links


Download "squashfs-tools"


Other versions of "squashfs-tools" in Focal

Repository Area Version
base main 1:4.4-1
updates main 1:4.4-1ubuntu0.3

Changelog

Version: 1:4.4-1ubuntu0.3 2021-10-13 02:06:17 UTC

  squashfs-tools (1:4.4-1ubuntu0.3) focal-security; urgency=medium

  * SECURITY UPDATE: Properly handle directory sorting in 2.x filesystems
    - debian/patches/0007-CVE-2021-41072-4.patch: Fix to check filesystem
      version and sort accordingly when needed
    - CVE-2021-41072

 -- Alex Murray <email address hidden> Tue, 12 Oct 2021 11:06:41 +1030

Source diff to previous version
CVE-2021-41072 squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesyst

Version: 1:4.4-1ubuntu0.2 2021-09-15 03:06:18 UTC

  squashfs-tools (1:4.4-1ubuntu0.2) focal-security; urgency=medium

  * SECURITY UPDATE: Directory traversal via symlinks in unsquashfs
    - debian/patches/0002-CVE-2021-41072-1.patch: Use
      unsquashfs_closedir() when deleting directories in unsquash-N.c
    - debian/patches/0003-CVE-2021-41072-2.patch: Dynamically allocate
      structure names in unsquash-N.c
    - debian/patches/0004-CVE-2021-41072-3.patch: Store directory names in
      a linked list to allow sorting in unsquash-N.c
    - debian/patches/0005-CVE-2021-41072-4.patch: Sort directory entries in
      squashfs images and treat duplicate directory entries with the same
      name as invalid in unsquash-N.c
    - debian/patches/0006-CVE-2021-41072-5.patch: Fixup Makefile entry for
      unsquash-12.o
    - CVE-2021-41072

 -- Alex Murray <email address hidden> Tue, 14 Sep 2021 16:52:23 +0930

Source diff to previous version
CVE-2021-41072 squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesyst

Version: 1:4.4-1ubuntu0.1 2021-08-31 02:06:18 UTC

  squashfs-tools (1:4.4-1ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: Directory traversal via relative paths in unsquashfs
    (LP: #1941790)
    - debian/patches/0001-CVE-2021-40153.patch:
      Treat squashfs images which contain files with names containing
      constructs like ../ as corrupted in unsquash-N.c
    - CVE-2021-40153

 -- Alex Murray <email address hidden> Fri, 27 Aug 2021 15:03:47 +0930

1941790 squashfs-tools 4.5 / \
CVE-2021-40153 squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new



About   -   Send Feedback to @ubuntu_updates