CVE-2021-41072: Path Traversal
First published: Tue Sep 14 2021(Updated: )
A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem. Upstream Issue: <a href="https://github.com/plougher/squashfs-tools/issues/72#issuecomment-913833405">https://github.com/plougher/squashfs-tools/issues/72#issuecomment-913833405</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/squashfs-tools | 1:4.3-12+deb10u2 1:4.4-2+deb11u2 1:4.5.1-1 1:4.6.1-1 | |
| debian/squashfs-tools | <=1:4.3-12<=1:4.5-2<=1:4.4-2+deb11u1<=1:4.4-2<=1:4.3-12+deb10u1 | 1:4.5-3 1:4.3-12+deb10u2 1:4.4-2+deb11u2 |
| Squashfs-tools Project Squashfs-tools | =4.5 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/plougher/squashfs-tools/commit/80b8441a37fcf8bf07dacf24d9d6c6459a0f6e36
- https://github.com/plougher/squashfs-tools/commit/1993a4e7aeda04962bf26e84c15fba8b58837e10
- https://github.com/plougher/squashfs-tools/commit/9938154174756ee48a94ea0b076397a2944b028d
- https://github.com/plougher/squashfs-tools/commit/e0485802ec72996c20026da320650d8362f555bd
- https://github.com/plougher/squashfs-tools/commit/19fcc9365dcdb2c22d232d42d11012940df64b7c
- https://github.com/plougher/squashfs-tools/issues/72#issuecomment-913833405
- https://security-tracker.debian.org/tracker/CVE-2021-41072
- https://security-tracker.debian.org/tracker/CVE-2021-40153
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41072
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994262
- https://lists.debian.org/debian-lts-announce/2021/10/msg00017.html
- https://security.gentoo.org/glsa/202305-29
- https://www.debian.org/security/2021/dsa-4987
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2004958
- https://access.redhat.com/errata/RHSA-2024:2396
- https://bugzilla.redhat.com/show_bug.cgi?id=2004957
Frequently Asked Questions
What is CVE-2021-41072 vulnerability?
CVE-2021-41072 is a high severity vulnerability in Squashfs-Tools 4.5 that allows directory traversal.
How does CVE-2021-41072 affect Squashfs-Tools?
CVE-2021-41072 allows an attacker to perform directory traversal in a squashfs filesystem.
What is the severity of CVE-2021-41072?
CVE-2021-41072 has a severity rating of 8.1 (high).
How do I fix CVE-2021-41072 in Squashfs-Tools?
To fix CVE-2021-41072, update Squashfs-Tools to version 1:4.3-12+deb10u2, 1:4.4-2+deb11u2, 1:4.5.1-1, or 1:4.6.1-1.
Where can I find more information about CVE-2021-41072?
You can find more information about CVE-2021-41072 at the following references: [reference 1](https://github.com/plougher/squashfs-tools/commit/e0485802ec72996c20026da320650d8362f555bd), [reference 2](https://github.com/plougher/squashfs-tools/issues/72#issuecomment-913833405), [reference 3](https://lists.debian.org/debian-lts-announce/2021/10/msg00017.html).
- collector/security-tracker-debian
- collector/debian-bugs
- alias/CVE-2021-41072
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/remedy
- agent/weakness
- agent/last-modified-date
- agent/author
- agent/references
- agent/severity
- agent/tags
- agent/event
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- package-manager/debian
- vendor/squashfs-tools project
- canonical/squashfs-tools project squashfs-tools
- version/squashfs-tools project squashfs-tools/4.5
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- version/debian debian linux/11.0