squashfs-4.6.1-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13035 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z squashfs-4.6.1-2.1 on GA media These are all security issues fixed in the squashfs-4.6.1-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13035 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13035 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2021-40153/ SUSE CVE CVE-2021-40153 page openSUSE Tumbleweed squashfs-4.6.1-2.1 squashfs-4.6.1-2.1 as a component of openSUSE Tumbleweed squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash. The filename is not validated for traversal outside of the destination directory, and thus allows writing to locations outside of the destination. CVE-2021-40153 openSUSE Tumbleweed:squashfs-4.6.1-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-40153.html CVE-2021-40153 https://bugzilla.suse.com/1189936 SUSE Bug 1189936