CVE-2021-40153

Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-40153.json
Published
2021-08-27T15:15:00Z
Modified
2023-08-31T02:29:06.594602Z
Details

squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash. The filename is not validated for traversal outside of the destination directory, and thus allows writing to locations outside of the destination.

References

Affected packages

Alpine:v3.11 / squashfs-tools

Source Details

Package Name
squashfs-tools

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
4.5-r0

Affected versions

4.*

4.0-r0
4.0-r1
4.1-r0
4.2-r0
4.2-r1
4.2-r2
4.3-r0
4.3-r1
4.3-r2
4.3-r3
4.3-r4
4.3-r5
4.3-r6
4.4-r6

Alpine:v3.12 / squashfs-tools

Source Details

Package Name
squashfs-tools

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
4.5-r0

Affected versions

4.*

4.0-r0
4.0-r1
4.1-r0
4.2-r0
4.2-r1
4.2-r2
4.3-r0
4.3-r1
4.3-r2
4.3-r3
4.3-r4
4.3-r5
4.3-r6
4.4-r6

Alpine:v3.13 / squashfs-tools

Source Details

Package Name
squashfs-tools

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
4.5-r0

Affected versions

4.*

4.0-r0
4.0-r1
4.1-r0
4.2-r0
4.2-r1
4.2-r2
4.3-r0
4.3-r1
4.3-r2
4.3-r3
4.3-r4
4.3-r5
4.3-r6
4.4-r0
4.4-r1

Alpine:v3.14 / squashfs-tools

Source Details

Package Name
squashfs-tools

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
4.5-r0

Affected versions

4.*

4.0-r0
4.0-r1
4.1-r0
4.2-r0
4.2-r1
4.2-r2
4.3-r0
4.3-r1
4.3-r2
4.3-r3
4.3-r4
4.3-r5
4.3-r6
4.4-r0
4.4-r1

Alpine:v3.15 / squashfs-tools

Source Details

Package Name
squashfs-tools

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
4.5-r0

Affected versions

4.*

4.0-r0
4.0-r1
4.1-r0
4.2-r0
4.2-r1
4.2-r2
4.3-r0
4.3-r1
4.3-r2
4.3-r3
4.3-r4
4.3-r5
4.3-r6
4.4-r0
4.4-r1

Alpine:v3.16 / squashfs-tools

Source Details

Package Name
squashfs-tools

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
4.5-r0

Affected versions

4.*

4.0-r0
4.0-r1
4.1-r0
4.2-r0
4.2-r1
4.2-r2
4.3-r0
4.3-r1
4.3-r2
4.3-r3
4.3-r4
4.3-r5
4.3-r6
4.4-r0
4.4-r1

Alpine:v3.17 / squashfs-tools

Source Details

Package Name
squashfs-tools

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
4.5-r0

Affected versions

4.*

4.0-r0
4.0-r1
4.1-r0
4.2-r0
4.2-r1
4.2-r2
4.3-r0
4.3-r1
4.3-r2
4.3-r3
4.3-r4
4.3-r5
4.3-r6
4.4-r0
4.4-r1

Alpine:v3.18 / squashfs-tools

Source Details

Package Name
squashfs-tools

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
4.5-r0

Affected versions

4.*

4.0-r0
4.0-r1
4.1-r0
4.2-r0
4.2-r1
4.2-r2
4.3-r0
4.3-r1
4.3-r2
4.3-r3
4.3-r4
4.3-r5
4.3-r6
4.4-r0
4.4-r1