ELSA-2024-3139

Опубликовано: 23 мая 2024

Источник: oracle-oval

Платформа: Oracle Linux 8

Описание

ELSA-2024-3139: squashfs-tools security update (MODERATE)

[4.3-21]

CVE-2021-41072 squashfs-tools: additional write outside destination directory exploit fix CVE-2021-40153 squashfs-tools: unvalidated filepaths allow writing outside of destination Resolves: rhbz#2007303 rhbz#2000637

Обновленные пакеты

Oracle Linux 8

Oracle Linux aarch64

squashfs-tools

4.3-21.el8

Oracle Linux x86_64

squashfs-tools

4.3-21.el8

Связанные CVE

CVE-2021-40153

CVE-2021-41072

Ссылки на источники

Связанные уязвимости

RLSA-2024:3139

rocky

около 1 года назад

Moderate: squashfs-tools security update

ELSA-2024-2396

oracle-oval

больше 1 года назад

ELSA-2024-2396: squashfs-tools security update (MODERATE)

SUSE-SU-2023:4591-1

suse-cvrf

больше 1 года назад

Security update for squashfs

SUSE-SU-2023:4424-1

suse-cvrf

почти 2 года назад

Security update for squashfs

CVE-2021-41072

CVSS3: 8.1

ubuntu

почти 4 года назад

squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem.