First published: Tue Sep 14 2021(Updated: )
A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem. Upstream Issue: <a href="https://github.com/plougher/squashfs-tools/issues/72#issuecomment-913833405">https://github.com/plougher/squashfs-tools/issues/72#issuecomment-913833405</a>
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
debian/squashfs-tools | 1:4.3-12+deb10u2 1:4.4-2+deb11u2 1:4.5.1-1 1:4.6.1-1 | |
debian/squashfs-tools | <=1:4.3-12<=1:4.5-2<=1:4.4-2+deb11u1<=1:4.4-2<=1:4.3-12+deb10u1 | 1:4.5-3 1:4.3-12+deb10u2 1:4.4-2+deb11u2 |
Squashfs-tools Project Squashfs-tools | =4.5 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-41072 is a high severity vulnerability in Squashfs-Tools 4.5 that allows directory traversal.
CVE-2021-41072 allows an attacker to perform directory traversal in a squashfs filesystem.
CVE-2021-41072 has a severity rating of 8.1 (high).
To fix CVE-2021-41072, update Squashfs-Tools to version 1:4.3-12+deb10u2, 1:4.4-2+deb11u2, 1:4.5.1-1, or 1:4.6.1-1.
You can find more information about CVE-2021-41072 at the following references: [reference 1](https://github.com/plougher/squashfs-tools/commit/e0485802ec72996c20026da320650d8362f555bd), [reference 2](https://github.com/plougher/squashfs-tools/issues/72#issuecomment-913833405), [reference 3](https://lists.debian.org/debian-lts-announce/2021/10/msg00017.html).