Main Vulnerability Database SB2021101346

SB2021101346 - Ubuntu update for squashfs-tools

Published: October 13, 2021

Security Bulletin ID SB2021101346

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Link following (CVE-ID: CVE-2021-41072)

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to a link following issue in squashfs_opendir in unsquash-2.c when processing a squashfs filesystem that has been crafted to include a symbolic link under the same filename in a filesystem. The attacker can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem.

Remediation

Install update from vendor's website.

References

https://ubuntu.com/security/notices/USN-5078-3