CVE-2021-40153

squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash. The filename is not validated for traversal outside of the destination directory, and thus allows writing to locations outside of the destination.

Published: Aug 27, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-40153
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

CVSS v2:

Severity: Medium
Score: 5.8
AV:N/AC:M/Au:N/C:N/I:P/A:P

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
squashfs-tools_project / squashfs-tools	4.5	4.5.x
fedoraproject / fedora	34	34.x
debian / debian_linux	9.0	9.0.x
debian / debian_linux	10.0	10.0.x
redhat / enterprise_linux	7.0	7.0.x
redhat / enterprise_linux	8.0	8.0.x
fedoraproject / fedora	33	33.x

https://bugs.launchpad.net/ubuntu/+source/squashfs-tools/+bug/1941790
https://github.com/plougher/squashfs-tools/commit/79b5a555058eef4e1e7ff220c344d39f8cd09646
https://github.com/plougher/squashfs-tools/issues/72
https://lists.debian.org/debian-lts-announce/2021/08/msg00030.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/GSMRKVJMJFX3MB7D3PXJSYY3TLZROE5S/
https://lists.fedoraproject.org/archives/list/[email protected]/message/RAOZ4BKWAC4Y3U2K5MMW3S77HWWXHQDL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GSMRKVJMJFX3MB7D3PXJSYY3TLZROE5S/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAOZ4BKWAC4Y3U2K5MMW3S77HWWXHQDL/
https://security.gentoo.org/glsa/202305-29
https://www.debian.org/security/2021/dsa-4967

Vulnerability Database

290,206

CVE-2021-40153