Описание
Moderate: squashfs-tools security update
SquashFS is a highly compressed read-only file system for Linux. These packages contain the utilities for manipulating squashfs file systems.
Security Fix(es):
-
squashfs-tools: unvalidated filepaths allow writing outside of destination (CVE-2021-40153)
-
squashfs-tools: possible Directory Traversal via symbolic link (CVE-2021-41072)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Rocky Linux 8.10 Release Notes linked from the References section.
Затронутые продукты
Rocky Linux 8
Связанные CVE
Исправления
- Red Hat - 1998621
- Red Hat - 2004957
Связанные уязвимости
ELSA-2024-3139: squashfs-tools security update (MODERATE)
ELSA-2024-2396: squashfs-tools security update (MODERATE)
squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem.