squashfs-tools 4.5 / "write outside directory" exploit fix back port?
Bug #1941790 reported by
David Trudgian
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| squashfs-tools (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
The squashfs-tools 4.5 release addresses an issue where `unsquashfs` can extract files outside of its target directory, given a malicious input file.
This issue was reported back in 2019 at: https:/
The squashfs-tools release notes mention the fix: https:/
> 3.13 Unsquashfs "write outside directory" exploit fixed.
Is Ubuntu aware of this issue w.r.t. back porting to distro release versions squashfs-tools?
CVE References
Revision history for this message
| Seth Arnold (seth-arnold) wrote | #1 |
| information type: | Private Security → Public Security |
Revision history for this message
| Alex Murray (alexmurray) wrote | #2 |
Revision history for this message
| Launchpad Janitor (janitor) wrote | #3 |
| Changed in squashfs-tools (Ubuntu): | |
| status: | New → Fix Released |
To post a comment you must log in.
Thanks David for the notice; I've asked MITRE to assign a CVE for us.