squashfs-tools 4.5 / "write outside directory" exploit fix back port?

Bug #1941790 reported by David Trudgian
This bug affects 1 person
Affects Status Importance Assigned to Milestone
squashfs-tools (Ubuntu)
Fix Released

Bug Description

The squashfs-tools 4.5 release addresses an issue where `unsquashfs` can extract files outside of its target directory, given a malicious input file.

This issue was reported back in 2019 at: https://github.com/plougher/squashfs-tools/issues/72

The squashfs-tools release notes mention the fix: https://github.com/plougher/squashfs-tools/blob/master/CHANGES

> 3.13 Unsquashfs "write outside directory" exploit fixed.

Is Ubuntu aware of this issue w.r.t. back porting to distro release versions squashfs-tools?

CVE References

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks David for the notice; I've asked MITRE to assign a CVE for us.

information type: Private Security → Public Security
Revision history for this message
Alex Murray (alexmurray) wrote :

CVE-2021-40153 was assigned for this - https://nvd.nist.gov/vuln/detail/CVE-2021-40153

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squashfs-tools - 1:4.4-2ubuntu0.1

squashfs-tools (1:4.4-2ubuntu0.1) hirsute-security; urgency=medium

  * SECURITY UPDATE: Directory traversal via relative paths in unsquashfs
    (LP: #1941790)
    - debian/patches/0003-CVE-2021-40153.patch:
      Treat squashfs images which contain files with names containing
      constructs like ../ as corrupted in unsquash-N.c
    - CVE-2021-40153

 -- Alex Murray <email address hidden> Fri, 27 Aug 2021 14:54:27 +0930

Changed in squashfs-tools (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers