OESA-2021-1425

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1425
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2021-1425.json
JSON Data
https://api.osv.dev/v1/vulns/OESA-2021-1425
Upstream
Published
2021-11-12T11:03:20Z
Modified
2025-09-03T06:17:37.525699Z
Summary
squashfs-tools security update
Details

Squashfs is a highly compressed read-only filesystem for Linux. It uses either gzip/xz/lzo/lz4/zstd compression to compress both files, inodes and directories.

Security Fix(es):

squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem.(CVE-2021-41072)

squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash. The filename is not validated for traversal outside of the destination directory, and thus allows writing to locations outside of the destination.(CVE-2021-40153)

Database specific 
{
    "severity": "High"
}
References

Affected packages

openEuler:20.03-LTS-SP1 / squashfs-tools

Package

Name
squashfs-tools
Purl
pkg:rpm/openEuler/squashfs-tools&distro=openEuler-20.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.4-5.oe1

Ecosystem specific 

{
    "src": [
        "squashfs-tools-4.4-5.oe1.src.rpm"
    ],
    "aarch64": [
        "squashfs-tools-4.4-5.oe1.aarch64.rpm",
        "squashfs-tools-debuginfo-4.4-5.oe1.aarch64.rpm",
        "squashfs-tools-debugsource-4.4-5.oe1.aarch64.rpm"
    ],
    "x86_64": [
        "squashfs-tools-debuginfo-4.4-5.oe1.x86_64.rpm",
        "squashfs-tools-debugsource-4.4-5.oe1.x86_64.rpm",
        "squashfs-tools-4.4-5.oe1.x86_64.rpm"
    ]
}

openEuler:20.03-LTS-SP2 / squashfs-tools

Package

Name
squashfs-tools
Purl
pkg:rpm/openEuler/squashfs-tools&distro=openEuler-20.03-LTS-SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.4-5.oe1

Ecosystem specific 

{
    "src": [
        "squashfs-tools-4.4-5.oe1.src.rpm"
    ],
    "aarch64": [
        "squashfs-tools-debugsource-4.4-5.oe1.aarch64.rpm",
        "squashfs-tools-4.4-5.oe1.aarch64.rpm",
        "squashfs-tools-debuginfo-4.4-5.oe1.aarch64.rpm"
    ],
    "x86_64": [
        "squashfs-tools-4.4-5.oe1.x86_64.rpm",
        "squashfs-tools-debugsource-4.4-5.oe1.x86_64.rpm",
        "squashfs-tools-debuginfo-4.4-5.oe1.x86_64.rpm"
    ]
}