{"affected":[{"ecosystem_specific":{"binaries":[{"squashfs":"4.6.1-150300.3.3.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Micro 5.3","name":"squashfs","purl":"pkg:rpm/suse/squashfs&distro=SUSE%20Linux%20Enterprise%20Micro%205.3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.6.1-150300.3.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"squashfs":"4.6.1-150300.3.3.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Micro 5.4","name":"squashfs","purl":"pkg:rpm/suse/squashfs&distro=SUSE%20Linux%20Enterprise%20Micro%205.4"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.6.1-150300.3.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"squashfs":"4.6.1-150300.3.3.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Micro 5.5","name":"squashfs","purl":"pkg:rpm/suse/squashfs&distro=SUSE%20Linux%20Enterprise%20Micro%205.5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.6.1-150300.3.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"squashfs":"4.6.1-150300.3.3.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Basesystem 15 SP4","name":"squashfs","purl":"pkg:rpm/suse/squashfs&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.6.1-150300.3.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"squashfs":"4.6.1-150300.3.3.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Basesystem 15 SP5","name":"squashfs","purl":"pkg:rpm/suse/squashfs&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.6.1-150300.3.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"squashfs":"4.6.1-150300.3.3.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise High Performance Computing 15 SP3-ESPOS","name":"squashfs","purl":"pkg:rpm/suse/squashfs&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.6.1-150300.3.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"squashfs":"4.6.1-150300.3.3.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise High Performance Computing 15 SP3-LTSS","name":"squashfs","purl":"pkg:rpm/suse/squashfs&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.6.1-150300.3.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"squashfs":"4.6.1-150300.3.3.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 15 SP3-LTSS","name":"squashfs","purl":"pkg:rpm/suse/squashfs&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.6.1-150300.3.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"squashfs":"4.6.1-150300.3.3.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server for SAP Applications 15 SP3","name":"squashfs","purl":"pkg:rpm/suse/squashfs&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.6.1-150300.3.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"squashfs":"4.6.1-150300.3.3.1"}]},"package":{"ecosystem":"SUSE:Manager Proxy 4.2","name":"squashfs","purl":"pkg:rpm/suse/squashfs&distro=SUSE%20Manager%20Proxy%204.2"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.6.1-150300.3.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"squashfs":"4.6.1-150300.3.3.1"}]},"package":{"ecosystem":"SUSE:Manager Server 4.2","name":"squashfs","purl":"pkg:rpm/suse/squashfs&distro=SUSE%20Manager%20Server%204.2"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.6.1-150300.3.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"squashfs":"4.6.1-150300.3.3.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Micro 5.1","name":"squashfs","purl":"pkg:rpm/suse/squashfs&distro=SUSE%20Linux%20Enterprise%20Micro%205.1"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.6.1-150300.3.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"squashfs":"4.6.1-150300.3.3.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Micro 5.2","name":"squashfs","purl":"pkg:rpm/suse/squashfs&distro=SUSE%20Linux%20Enterprise%20Micro%205.2"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.6.1-150300.3.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"squashfs":"4.6.1-150300.3.3.1"}]},"package":{"ecosystem":"SUSE:Enterprise Storage 7.1","name":"squashfs","purl":"pkg:rpm/suse/squashfs&distro=SUSE%20Enterprise%20Storage%207.1"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.6.1-150300.3.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"squashfs":"4.6.1-150300.3.3.1"}]},"package":{"ecosystem":"openSUSE:Leap Micro 5.3","name":"squashfs","purl":"pkg:rpm/opensuse/squashfs&distro=openSUSE%20Leap%20Micro%205.3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.6.1-150300.3.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"squashfs":"4.6.1-150300.3.3.1"}]},"package":{"ecosystem":"openSUSE:Leap Micro 5.4","name":"squashfs","purl":"pkg:rpm/opensuse/squashfs&distro=openSUSE%20Leap%20Micro%205.4"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.6.1-150300.3.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"squashfs":"4.6.1-150300.3.3.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.4","name":"squashfs","purl":"pkg:rpm/opensuse/squashfs&distro=openSUSE%20Leap%2015.4"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.6.1-150300.3.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"squashfs":"4.6.1-150300.3.3.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.5","name":"squashfs","purl":"pkg:rpm/opensuse/squashfs&distro=openSUSE%20Leap%2015.5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.6.1-150300.3.3.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for squashfs fixes the following issues:\n\n- CVE-2015-4645,CVE-2015-4646: Multiple buffer overflows fixed in squashfs-tools (bsc#935380)\n- CVE-2021-40153: Fixed an issue where an attacker might have been able to write a file outside of destination (bsc#1189936)\n- CVE-2021-41072: Fixed an issue where an attacker might have been\n  able to write a file outside the destination directory via a\n  symlink (bsc#1190531).\n\nupdate to 4.6.1:\n\n  * Race condition which can cause corruption of the 'fragment\n    table' fixed.  This is a regression introduced in August 2022,\n    and it has been seen when tailend packing is used (-tailends option).\n  * Fix build failure when the tools are being built without\n    extended attribute (XATTRs) support.\n  * Fix XATTR error message when an unrecognised prefix is\n    found\n  * Fix incorrect free of pointer when an unrecognised XATTR\n    prefix is found.\n  * Major improvements in extended attribute handling,\n    pseudo file handling, and miscellaneous new options and\n    improvements\n  * Extended attribute handling improved in Mksquashfs and\n    Sqfstar\n  * New Pseudo file xattr definition to add extended\n    attributes to files.\n  * New xattrs-add Action to add extended attributes to files\n  * Extended attribute handling improved in Unsquashfs\n  * Other major improvements\n  * Unsquashfs can now output Pseudo files to standard out.\n  * Mksquashfs can now input Pseudo files from standard in.\n  * Squashfs filesystems can now be converted (different\n    block size compression etc) without unpacking to an\n    intermediate filesystem or mounting, by piping the output of\n    Unsquashfs to Mksquashfs.\n  * Pseudo files are now supported by Sqfstar.\n  * 'Non-anchored' excludes are now supported by Unsquashfs.\n\nupdate to 4.5.1 (bsc#1190531, CVE-2021-41072):\n\n  * This release adds Manpages for Mksquashfs(1), Unsquashfs(1),\n    Sqfstar(1) and Sqfscat(1).\n  * The -help text output from the utilities has been improved\n    and extended as well (but the Manpages are now more\n    comprehensive).\n  * CVE-2021-41072 which is a writing outside of destination\n    exploit, has been fixed.\n  * The number of hard-links in the filesystem is now also\n    displayed by Mksquashfs in the output summary.\n  * The number of hard-links written by Unsquashfs is now\n    also displayed in the output summary.\n  * Unsquashfs will now write to a pre-existing destination\n    directory, rather than aborting.\n  * Unsquashfs now allows '.' to used as the destination, to\n    extract to the current directory.\n  * The Unsquashfs progress bar now tracks empty files and\n    hardlinks, in addition to data blocks.\n  * -no-hardlinks option has been implemented for Sqfstar.\n  * More sanity checking for 'corrupted' filesystems, including\n    checks for multiply linked directories and directory loops.\n  * Options that may cause filesystems to be unmountable have\n    been moved into a new 'experts' category in the Mksquashfs\n    help text (and Manpage).\n  * Maximum cpiostyle filename limited to PATH_MAX.  This\n    prevents attempts to overflow the stack, or cause system\n    calls to fail with a too long pathname.\n  * Don't always use 'max open file limit' when calculating\n    length of queues, as a very large file limit can cause\n    Unsquashfs to abort.  Instead use the smaller of max open\n    file limit and cache size.\n  * Fix Mksquashfs silently ignoring Pseudo file definitions\n    when appending.\n  * Don't abort if no XATTR support has been built in, and\n    there's XATTRs in the filesystem.  This is a regression\n    introduced in 2019 in Version 4.4.\n  * Fix duplicate check when the last file block is sparse.\n\nupdate to 4.5:\n\n  * Mksquashfs now supports 'Actions'.\n  * New sqfstar command which will create a Squashfs image from a tar archive.\n  * Tar style handling of source pathnames in Mksquashfs.\n  * Cpio style handling of source pathnames in Mksquashfs.\n  * New option to throttle the amount of CPU and I/O.\n  * Mksquashfs now allows no source directory to be specified.\n  * New Pseudo file 'R' definition which allows a Regular file\n    o be created with data stored within the Pseudo file.\n  * Symbolic links are now followed in extract files\n  * Unsquashfs now supports 'exclude' files.\n  * Max depth traversal option added.\n  * Unsquashfs can now output a 'Pseudo file' representing the\n    input Squashfs filesystem.\n  * New -one-file-system option in Mksquashfs.\n  * New -no-hardlinks option in Mksquashfs.\n  * Exit code in Unsquashfs changed to distinguish between\n    non-fatal errors (exit 2), and fatal errors (exit 1).\n  * Xattr id count added in Unsquashfs '-stat' output.\n  * Unsquashfs 'write outside directory' exploit fixed.\n  * Error handling in Unsquashfs writer thread fixed.\n  * Fix failure to truncate destination if appending aborted.\n  * Prevent Mksquashfs reading the destination file. \n","id":"SUSE-SU-2023:4591-1","modified":"2023-11-27T13:32:32Z","published":"2023-11-27T13:32:32Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2023/suse-su-20234591-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1189936"},{"type":"REPORT","url":"https://bugzilla.suse.com/1190531"},{"type":"REPORT","url":"https://bugzilla.suse.com/935380"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2015-4645"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2015-4646"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-40153"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-41072"}],"related":["CVE-2015-4645","CVE-2015-4646","CVE-2021-40153","CVE-2021-41072"],"summary":"Security update for squashfs","upstream":["CVE-2015-4645","CVE-2015-4646","CVE-2021-40153","CVE-2021-41072"]}