{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_security_advisory","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"Security update for squashfs","title":"Title of the patch"},{"category":"description","text":"This update for squashfs fixes the following issues:\n\n- CVE-2015-4645,CVE-2015-4646: Multiple buffer overflows fixed in squashfs-tools (bsc#935380)\n- CVE-2021-40153: Fixed an issue where an attacker might have been able to write a file outside of destination (bsc#1189936)\n- CVE-2021-41072: Fixed an issue where an attacker might have been\n  able to write a file outside the destination directory via a\n  symlink (bsc#1190531).\n\nupdate to 4.6.1:\n\n  * Race condition which can cause corruption of the 'fragment\n    table' fixed.  This is a regression introduced in August 2022,\n    and it has been seen when tailend packing is used (-tailends option).\n  * Fix build failure when the tools are being built without\n    extended attribute (XATTRs) support.\n  * Fix XATTR error message when an unrecognised prefix is\n    found\n  * Fix incorrect free of pointer when an unrecognised XATTR\n    prefix is found.\n  * Major improvements in extended attribute handling,\n    pseudo file handling, and miscellaneous new options and\n    improvements\n  * Extended attribute handling improved in Mksquashfs and\n    Sqfstar\n  * New Pseudo file xattr definition to add extended\n    attributes to files.\n  * New xattrs-add Action to add extended attributes to files\n  * Extended attribute handling improved in Unsquashfs\n  * Other major improvements\n  * Unsquashfs can now output Pseudo files to standard out.\n  * Mksquashfs can now input Pseudo files from standard in.\n  * Squashfs filesystems can now be converted (different\n    block size compression etc) without unpacking to an\n    intermediate filesystem or mounting, by piping the output of\n    Unsquashfs to Mksquashfs.\n  * Pseudo files are now supported by Sqfstar.\n  * 'Non-anchored' excludes are now supported by Unsquashfs.\n\nupdate to 4.5.1 (bsc#1190531, CVE-2021-41072):\n\n  * This release adds Manpages for Mksquashfs(1), Unsquashfs(1),\n    Sqfstar(1) and Sqfscat(1).\n  * The -help text output from the utilities has been improved\n    and extended as well (but the Manpages are now more\n    comprehensive).\n  * CVE-2021-41072 which is a writing outside of destination\n    exploit, has been fixed.\n  * The number of hard-links in the filesystem is now also\n    displayed by Mksquashfs in the output summary.\n  * The number of hard-links written by Unsquashfs is now\n    also displayed in the output summary.\n  * Unsquashfs will now write to a pre-existing destination\n    directory, rather than aborting.\n  * Unsquashfs now allows '.' to used as the destination, to\n    extract to the current directory.\n  * The Unsquashfs progress bar now tracks empty files and\n    hardlinks, in addition to data blocks.\n  * -no-hardlinks option has been implemented for Sqfstar.\n  * More sanity checking for 'corrupted' filesystems, including\n    checks for multiply linked directories and directory loops.\n  * Options that may cause filesystems to be unmountable have\n    been moved into a new 'experts' category in the Mksquashfs\n    help text (and Manpage).\n  * Maximum cpiostyle filename limited to PATH_MAX.  This\n    prevents attempts to overflow the stack, or cause system\n    calls to fail with a too long pathname.\n  * Don't always use 'max open file limit' when calculating\n    length of queues, as a very large file limit can cause\n    Unsquashfs to abort.  Instead use the smaller of max open\n    file limit and cache size.\n  * Fix Mksquashfs silently ignoring Pseudo file definitions\n    when appending.\n  * Don't abort if no XATTR support has been built in, and\n    there's XATTRs in the filesystem.  This is a regression\n    introduced in 2019 in Version 4.4.\n  * Fix duplicate check when the last file block is sparse.\n\nupdate to 4.5:\n\n  * Mksquashfs now supports 'Actions'.\n  * New sqfstar command which will create a Squashfs image from a tar archive.\n  * Tar style handling of source pathnames in Mksquashfs.\n  * Cpio style handling of source pathnames in Mksquashfs.\n  * New option to throttle the amount of CPU and I/O.\n  * Mksquashfs now allows no source directory to be specified.\n  * New Pseudo file 'R' definition which allows a Regular file\n    o be created with data stored within the Pseudo file.\n  * Symbolic links are now followed in extract files\n  * Unsquashfs now supports 'exclude' files.\n  * Max depth traversal option added.\n  * Unsquashfs can now output a 'Pseudo file' representing the\n    input Squashfs filesystem.\n  * New -one-file-system option in Mksquashfs.\n  * New -no-hardlinks option in Mksquashfs.\n  * Exit code in Unsquashfs changed to distinguish between\n    non-fatal errors (exit 2), and fatal errors (exit 1).\n  * Xattr id count added in Unsquashfs '-stat' output.\n  * Unsquashfs 'write outside directory' exploit fixed.\n  * Error handling in Unsquashfs writer thread fixed.\n  * Fix failure to truncate destination if appending aborted.\n  * Prevent Mksquashfs reading the destination file. \n","title":"Description of the patch"},{"category":"details","text":"SUSE-2024-2463,SUSE-SLE-Micro-5.5-2024-2463","title":"Patchnames"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"SUSE ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"self","summary":"URL of this CSAF notice","url":"https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_2463-1.json"},{"category":"self","summary":"URL for SUSE-SU-2024:2463-1","url":"https://www.suse.com/support/update/announcement/2024/suse-su-20242463-1/"},{"category":"self","summary":"E-Mail link for SUSE-SU-2024:2463-1","url":"https://lists.suse.com/pipermail/sle-updates/2024-July/035988.html"},{"category":"self","summary":"SUSE Bug 1189936","url":"https://bugzilla.suse.com/1189936"},{"category":"self","summary":"SUSE Bug 1190531","url":"https://bugzilla.suse.com/1190531"},{"category":"self","summary":"SUSE Bug 935380","url":"https://bugzilla.suse.com/935380"},{"category":"self","summary":"SUSE CVE CVE-2015-4645 page","url":"https://www.suse.com/security/cve/CVE-2015-4645/"},{"category":"self","summary":"SUSE CVE CVE-2015-4646 page","url":"https://www.suse.com/security/cve/CVE-2015-4646/"},{"category":"self","summary":"SUSE CVE CVE-2021-40153 page","url":"https://www.suse.com/security/cve/CVE-2021-40153/"},{"category":"self","summary":"SUSE CVE CVE-2021-41072 page","url":"https://www.suse.com/security/cve/CVE-2021-41072/"}],"title":"Security update for squashfs","tracking":{"current_release_date":"2024-07-12T13:55:05Z","generator":{"date":"2024-07-12T13:55:05Z","engine":{"name":"cve-database.git:bin/generate-csaf.pl","version":"1"}},"id":"SUSE-SU-2024:2463-1","initial_release_date":"2024-07-12T13:55:05Z","revision_history":[{"date":"2024-07-12T13:55:05Z","number":"1","summary":"Current version"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_version","name":"squashfs-4.6.1-150300.3.3.1.ppc64le","product":{"name":"squashfs-4.6.1-150300.3.3.1.ppc64le","product_id":"squashfs-4.6.1-150300.3.3.1.ppc64le"}}],"category":"architecture","name":"ppc64le"},{"branches":[{"category":"product_name","name":"SUSE Linux Enterprise Micro 5.5","product":{"name":"SUSE Linux Enterprise Micro 5.5","product_id":"SUSE Linux Enterprise Micro 5.5","product_identification_helper":{"cpe":"cpe:/o:suse:sle-micro:5.5"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"squashfs-4.6.1-150300.3.3.1.ppc64le as component of SUSE Linux Enterprise Micro 5.5","product_id":"SUSE Linux Enterprise Micro 5.5:squashfs-4.6.1-150300.3.3.1.ppc64le"},"product_reference":"squashfs-4.6.1-150300.3.3.1.ppc64le","relates_to_product_reference":"SUSE Linux Enterprise Micro 5.5"}]},"vulnerabilities":[{"cve":"CVE-2015-4645","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2015-4645"}],"notes":[{"category":"general","text":"Integer overflow in the read_fragment_table_4 function in unsquash-4.c in Squashfs and sasquatch allows remote attackers to cause a denial of service (application crash) via a crafted input, which triggers a stack-based buffer overflow.","title":"CVE description"}],"product_status":{"recommended":["SUSE Linux Enterprise Micro 5.5:squashfs-4.6.1-150300.3.3.1.ppc64le"]},"references":[{"category":"external","summary":"CVE-2015-4645","url":"https://www.suse.com/security/cve/CVE-2015-4645"},{"category":"external","summary":"SUSE Bug 935380 for CVE-2015-4645","url":"https://bugzilla.suse.com/935380"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Enterprise Micro 5.5:squashfs-4.6.1-150300.3.3.1.ppc64le"]}],"scores":[{"cvss_v3":{"baseScore":5.5,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","version":"3.1"},"products":["SUSE Linux Enterprise Micro 5.5:squashfs-4.6.1-150300.3.3.1.ppc64le"]}],"threats":[{"category":"impact","date":"2024-07-12T13:55:05Z","details":"moderate"}],"title":"CVE-2015-4645"},{"cve":"CVE-2015-4646","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2015-4646"}],"notes":[{"category":"general","text":"(1) unsquash-1.c, (2) unsquash-2.c, (3) unsquash-3.c, and (4) unsquash-4.c in Squashfs and sasquatch allow remote attackers to cause a denial of service (application crash) via a crafted input.","title":"CVE description"}],"product_status":{"recommended":["SUSE Linux Enterprise Micro 5.5:squashfs-4.6.1-150300.3.3.1.ppc64le"]},"references":[{"category":"external","summary":"CVE-2015-4646","url":"https://www.suse.com/security/cve/CVE-2015-4646"},{"category":"external","summary":"SUSE Bug 935380 for CVE-2015-4646","url":"https://bugzilla.suse.com/935380"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Enterprise Micro 5.5:squashfs-4.6.1-150300.3.3.1.ppc64le"]}],"scores":[{"cvss_v3":{"baseScore":5.5,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","version":"3.1"},"products":["SUSE Linux Enterprise Micro 5.5:squashfs-4.6.1-150300.3.3.1.ppc64le"]}],"threats":[{"category":"impact","date":"2024-07-12T13:55:05Z","details":"moderate"}],"title":"CVE-2015-4646"},{"cve":"CVE-2021-40153","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2021-40153"}],"notes":[{"category":"general","text":"squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash. The filename is not validated for traversal outside of the destination directory, and thus allows writing to locations outside of the destination.","title":"CVE description"}],"product_status":{"recommended":["SUSE Linux Enterprise Micro 5.5:squashfs-4.6.1-150300.3.3.1.ppc64le"]},"references":[{"category":"external","summary":"CVE-2021-40153","url":"https://www.suse.com/security/cve/CVE-2021-40153"},{"category":"external","summary":"SUSE Bug 1189936 for CVE-2021-40153","url":"https://bugzilla.suse.com/1189936"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Enterprise Micro 5.5:squashfs-4.6.1-150300.3.3.1.ppc64le"]}],"scores":[{"cvss_v3":{"baseScore":6.6,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N","version":"3.1"},"products":["SUSE Linux Enterprise Micro 5.5:squashfs-4.6.1-150300.3.3.1.ppc64le"]}],"threats":[{"category":"impact","date":"2024-07-12T13:55:05Z","details":"moderate"}],"title":"CVE-2021-40153"},{"cve":"CVE-2021-41072","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2021-41072"}],"notes":[{"category":"general","text":"squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem.","title":"CVE description"}],"product_status":{"recommended":["SUSE Linux Enterprise Micro 5.5:squashfs-4.6.1-150300.3.3.1.ppc64le"]},"references":[{"category":"external","summary":"CVE-2021-41072","url":"https://www.suse.com/security/cve/CVE-2021-41072"},{"category":"external","summary":"SUSE Bug 1189936 for CVE-2021-41072","url":"https://bugzilla.suse.com/1189936"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Enterprise Micro 5.5:squashfs-4.6.1-150300.3.3.1.ppc64le"]}],"scores":[{"cvss_v3":{"baseScore":6.6,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N","version":"3.1"},"products":["SUSE Linux Enterprise Micro 5.5:squashfs-4.6.1-150300.3.3.1.ppc64le"]}],"threats":[{"category":"impact","date":"2024-07-12T13:55:05Z","details":"moderate"}],"title":"CVE-2021-41072"}]}