CVE-2021-41072

14.09.2021, 01:15

squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem.

Path Traversal

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.1 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 86%

Vendor	Product	Version
squashfs-tools_project	squashfs-tools	4.5
debian	debian_linux	9.0
debian	debian_linux	10.0
debian	debian_linux	11.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

squashfs-tools

bullseye (security)	1:4.4-2+deb11u2 fixed
bullseye	1:4.4-2+deb11u2 fixed
bookworm	1:4.5.1-1 fixed
sid	1:4.6.1-1 fixed
trixie	1:4.6.1-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

squashfs-tools

jammy	Fixed 1:4.4-2ubuntu2 released
impish	Fixed 1:4.4-2ubuntu2 released
hirsute	Fixed 1:4.4-2ubuntu0.2 released
focal	Fixed 1:4.4-1ubuntu0.2 released
bionic	Fixed 1:4.3-6ubuntu0.18.04.4 released
xenial	Fixed 1:4.3-3ubuntu2.16.04.3+esm1 released
trusty	dne

Known Exploits!

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

https://github.com/plougher/squashfs-tools/commit/e0485802ec72996c20026da320650d8362f555bd

https://github.com/plougher/squashfs-tools/issues/72#issuecomment-913833405

https://lists.debian.org/debian-lts-announce/2021/10/msg00017.html

https://security.gentoo.org/glsa/202305-29

https://www.debian.org/security/2021/dsa-4987

https://github.com/plougher/squashfs-tools/commit/e0485802ec72996c20026da320650d8362f555bd

https://github.com/plougher/squashfs-tools/issues/72#issuecomment-913833405

https://lists.debian.org/debian-lts-announce/2021/10/msg00017.html

https://security.gentoo.org/glsa/202305-29

https://www.debian.org/security/2021/dsa-4987