squashfs-tools 4.5 / "write outside directory" exploit fix back port?

Bug #1941790 reported by David Trudgian
This bug affects 1 person
Affects Status Importance Assigned to Milestone
squashfs-tools (Ubuntu)
Fix Released

Bug Description

The squashfs-tools 4.5 release addresses an issue where `unsquashfs` can extract files outside of its target directory, given a malicious input file.

This issue was reported back in 2019 at: https://github.com/plougher/squashfs-tools/issues/72

The squashfs-tools release notes mention the fix: https://github.com/plougher/squashfs-tools/blob/master/CHANGES

> 3.13 Unsquashfs "write outside directory" exploit fixed.

Is Ubuntu aware of this issue w.r.t. back porting to distro release versions squashfs-tools?

CVE References

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks David for the notice; I've asked MITRE to assign a CVE for us.

information type: Private Security → Public Security
Revision history for this message
Alex Murray (alexmurray) wrote :

CVE-2021-40153 was assigned for this - https://nvd.nist.gov/vuln/detail/CVE-2021-40153

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squashfs-tools - 1:4.4-2ubuntu0.1

squashfs-tools (1:4.4-2ubuntu0.1) hirsute-security; urgency=medium

  * SECURITY UPDATE: Directory traversal via relative paths in unsquashfs
    (LP: #1941790)
    - debian/patches/0003-CVE-2021-40153.patch:
      Treat squashfs images which contain files with names containing
      constructs like ../ as corrupted in unsquash-N.c
    - CVE-2021-40153

 -- Alex Murray <email address hidden> Fri, 27 Aug 2021 14:54:27 +0930

Changed in squashfs-tools (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.