Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.7127
Security update for squashfs
29 November 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: squashfs
Publisher: SUSE
Operating System: SUSE
Resolution: Patch/Upgrade
CVE Names: CVE-2021-41072 CVE-2021-40153 CVE-2015-4646
CVE-2015-4645
Original Bulletin:
https://www.suse.com/support/update/announcement/2023/suse-su-20234591-1
Comment: CVSS (Max): 6.6 CVE-2021-41072 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N)
CVSS Source: SUSE
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
Security update for squashfs
Announcement ID: SUSE-SU-2023:4591-1
Rating: important
o bsc#1189936
References: o bsc#1190531
o bsc#935380
o CVE-2015-4645
o CVE-2015-4646
Cross-References: o CVE-2021-40153
o CVE-2021-41072
o CVE-2015-4645 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/
S:U/C:N/I:N/A:H
o CVE-2015-4645 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/
S:U/C:N/I:N/A:H
o CVE-2015-4646 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/
S:U/C:N/I:N/A:H
o CVE-2021-40153 ( SUSE ): 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R
CVSS scores: /S:U/C:H/I:H/A:N
o CVE-2021-40153 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/
S:U/C:N/I:H/A:H
o CVE-2021-41072 ( SUSE ): 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R
/S:U/C:H/I:H/A:N
o CVE-2021-41072 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/
S:U/C:N/I:H/A:H
o Basesystem Module 15-SP4
o Basesystem Module 15-SP5
o openSUSE Leap 15.3
o openSUSE Leap 15.4
o openSUSE Leap 15.5
o openSUSE Leap Micro 5.3
o openSUSE Leap Micro 5.4
o SUSE Enterprise Storage 7.1
o SUSE Linux Enterprise Desktop 15 SP4
o SUSE Linux Enterprise Desktop 15 SP5
o SUSE Linux Enterprise High Performance Computing 15 SP3
o SUSE Linux Enterprise High Performance Computing 15 SP4
o SUSE Linux Enterprise High Performance Computing 15 SP5
o SUSE Linux Enterprise High Performance Computing ESPOS 15
SP3
o SUSE Linux Enterprise High Performance Computing LTSS 15
SP3
o SUSE Linux Enterprise Micro 5.1
o SUSE Linux Enterprise Micro 5.2
Affected o SUSE Linux Enterprise Micro 5.3
Products: o SUSE Linux Enterprise Micro 5.4
o SUSE Linux Enterprise Micro 5.5
o SUSE Linux Enterprise Micro for Rancher 5.2
o SUSE Linux Enterprise Micro for Rancher 5.3
o SUSE Linux Enterprise Micro for Rancher 5.4
o SUSE Linux Enterprise Real Time 15 SP4
o SUSE Linux Enterprise Real Time 15 SP5
o SUSE Linux Enterprise Server 15 SP3
o SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
o SUSE Linux Enterprise Server 15 SP4
o SUSE Linux Enterprise Server 15 SP5
o SUSE Linux Enterprise Server for SAP Applications 15 SP3
o SUSE Linux Enterprise Server for SAP Applications 15 SP4
o SUSE Linux Enterprise Server for SAP Applications 15 SP5
o SUSE Manager Proxy 4.2
o SUSE Manager Proxy 4.3
o SUSE Manager Retail Branch Server 4.2
o SUSE Manager Retail Branch Server 4.3
o SUSE Manager Server 4.2
o SUSE Manager Server 4.3
An update that solves four vulnerabilities can now be installed.
Description:
This update for squashfs fixes the following issues:
o CVE-2015-4645,CVE-2015-4646: Multiple buffer overflows fixed in
squashfs-tools (bsc#935380)
o CVE-2021-40153: Fixed an issue where an attacker might have been able to
write a file outside of destination (bsc#1189936)
o CVE-2021-41072: Fixed an issue where an attacker might have been able to
write a file outside the destination directory via a symlink (bsc#1190531).
update to 4.6.1:
o Race condition which can cause corruption of the "fragment table" fixed.
This is a regression introduced in August 2022, and it has been seen when
tailend packing is used (-tailends option).
o Fix build failure when the tools are being built without extended attribute
(XATTRs) support.
o Fix XATTR error message when an unrecognised prefix is found
o Fix incorrect free of pointer when an unrecognised XATTR prefix is found.
o Major improvements in extended attribute handling, pseudo file handling,
and miscellaneous new options and improvements
o Extended attribute handling improved in Mksquashfs and Sqfstar
o New Pseudo file xattr definition to add extended attributes to files.
o New xattrs-add Action to add extended attributes to files
o Extended attribute handling improved in Unsquashfs
o Other major improvements
o Unsquashfs can now output Pseudo files to standard out.
o Mksquashfs can now input Pseudo files from standard in.
o Squashfs filesystems can now be converted (different block size compression
etc) without unpacking to an intermediate filesystem or mounting, by piping
the output of Unsquashfs to Mksquashfs.
o Pseudo files are now supported by Sqfstar.
o "Non-anchored" excludes are now supported by Unsquashfs.
update to 4.5.1 (bsc#1190531, CVE-2021-41072):
o This release adds Manpages for Mksquashfs(1), Unsquashfs(1), Sqfstar(1) and
Sqfscat(1).
o The -help text output from the utilities has been improved and extended as
well (but the Manpages are now more comprehensive).
o CVE-2021-41072 which is a writing outside of destination exploit, has been
fixed.
o The number of hard-links in the filesystem is now also displayed by
Mksquashfs in the output summary.
o The number of hard-links written by Unsquashfs is now also displayed in the
output summary.
o Unsquashfs will now write to a pre-existing destination directory, rather
than aborting.
o Unsquashfs now allows "." to used as the destination, to extract to the
current directory.
o The Unsquashfs progress bar now tracks empty files and hardlinks, in
addition to data blocks.
o -no-hardlinks option has been implemented for Sqfstar.
o More sanity checking for "corrupted" filesystems, including checks for
multiply linked directories and directory loops.
o Options that may cause filesystems to be unmountable have been moved into a
new "experts" category in the Mksquashfs help text (and Manpage).
o Maximum cpiostyle filename limited to PATH_MAX. This prevents attempts to
overflow the stack, or cause system calls to fail with a too long pathname.
o Don't always use "max open file limit" when calculating length of queues,
as a very large file limit can cause Unsquashfs to abort. Instead use the
smaller of max open file limit and cache size.
o Fix Mksquashfs silently ignoring Pseudo file definitions when appending.
o Don't abort if no XATTR support has been built in, and there's XATTRs in
the filesystem. This is a regression introduced in 2019 in Version 4.4.
o Fix duplicate check when the last file block is sparse.
update to 4.5:
o Mksquashfs now supports "Actions".
o New sqfstar command which will create a Squashfs image from a tar archive.
o Tar style handling of source pathnames in Mksquashfs.
o Cpio style handling of source pathnames in Mksquashfs.
o New option to throttle the amount of CPU and I/O.
o Mksquashfs now allows no source directory to be specified.
o New Pseudo file "R" definition which allows a Regular file o be created
with data stored within the Pseudo file.
o Symbolic links are now followed in extract files
o Unsquashfs now supports "exclude" files.
o Max depth traversal option added.
o Unsquashfs can now output a "Pseudo file" representing the input Squashfs
filesystem.
o New -one-file-system option in Mksquashfs.
o New -no-hardlinks option in Mksquashfs.
o Exit code in Unsquashfs changed to distinguish between non-fatal errors
(exit 2), and fatal errors (exit 1).
o Xattr id count added in Unsquashfs "-stat" output.
o Unsquashfs "write outside directory" exploit fixed.
o Error handling in Unsquashfs writer thread fixed.
o Fix failure to truncate destination if appending aborted.
o Prevent Mksquashfs reading the destination file.
Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o openSUSE Leap 15.4
zypper in -t patch openSUSE-SLE-15.4-2023-4591=1
o openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2023-4591=1
o SUSE Linux Enterprise Micro for Rancher 5.3
zypper in -t patch SUSE-SLE-Micro-5.3-2023-4591=1
o SUSE Linux Enterprise Micro 5.3
zypper in -t patch SUSE-SLE-Micro-5.3-2023-4591=1
o SUSE Linux Enterprise Micro for Rancher 5.4
zypper in -t patch SUSE-SLE-Micro-5.4-2023-4591=1
o SUSE Linux Enterprise Micro 5.4
zypper in -t patch SUSE-SLE-Micro-5.4-2023-4591=1
o SUSE Linux Enterprise Micro 5.5
zypper in -t patch SUSE-SLE-Micro-5.5-2023-4591=1
o Basesystem Module 15-SP4
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2023-4591=1
o Basesystem Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2023-4591=1
o SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3
zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-4591=1
o SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-4591=1
o SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-4591=1
o SUSE Linux Enterprise Server for SAP Applications 15 SP3
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2023-4591=1
o SUSE Manager Proxy 4.2
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.2-2023-4591=1
o SUSE Manager Retail Branch Server 4.2
zypper in -t patch
SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.2-2023-4591=1
o SUSE Manager Server 4.2
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.2-2023-4591=1
o SUSE Enterprise Storage 7.1
zypper in -t patch SUSE-Storage-7.1-2023-4591=1
o SUSE Linux Enterprise Micro 5.1
zypper in -t patch SUSE-SUSE-MicroOS-5.1-2023-4591=1
o SUSE Linux Enterprise Micro 5.2
zypper in -t patch SUSE-SUSE-MicroOS-5.2-2023-4591=1
o SUSE Linux Enterprise Micro for Rancher 5.2
zypper in -t patch SUSE-SUSE-MicroOS-5.2-2023-4591=1
o openSUSE Leap 15.3
zypper in -t patch SUSE-2023-4591=1
o openSUSE Leap Micro 5.3
zypper in -t patch openSUSE-Leap-Micro-5.3-2023-4591=1
o openSUSE Leap Micro 5.4
zypper in -t patch openSUSE-Leap-Micro-5.4-2023-4591=1
Package List:
o openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
? squashfs-debuginfo-4.6.1-150300.3.3.1
? squashfs-debugsource-4.6.1-150300.3.3.1
? squashfs-4.6.1-150300.3.3.1
o openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
? squashfs-debuginfo-4.6.1-150300.3.3.1
? squashfs-debugsource-4.6.1-150300.3.3.1
? squashfs-4.6.1-150300.3.3.1
o SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64)
? squashfs-debuginfo-4.6.1-150300.3.3.1
? squashfs-debugsource-4.6.1-150300.3.3.1
? squashfs-4.6.1-150300.3.3.1
o SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64)
? squashfs-debuginfo-4.6.1-150300.3.3.1
? squashfs-debugsource-4.6.1-150300.3.3.1
? squashfs-4.6.1-150300.3.3.1
o SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64)
? squashfs-debuginfo-4.6.1-150300.3.3.1
? squashfs-debugsource-4.6.1-150300.3.3.1
? squashfs-4.6.1-150300.3.3.1
o SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64)
? squashfs-debuginfo-4.6.1-150300.3.3.1
? squashfs-debugsource-4.6.1-150300.3.3.1
? squashfs-4.6.1-150300.3.3.1
o SUSE Linux Enterprise Micro 5.5 (aarch64 s390x x86_64)
? squashfs-debuginfo-4.6.1-150300.3.3.1
? squashfs-debugsource-4.6.1-150300.3.3.1
? squashfs-4.6.1-150300.3.3.1
o Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64)
? squashfs-debuginfo-4.6.1-150300.3.3.1
? squashfs-debugsource-4.6.1-150300.3.3.1
? squashfs-4.6.1-150300.3.3.1
o Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64)
? squashfs-debuginfo-4.6.1-150300.3.3.1
? squashfs-debugsource-4.6.1-150300.3.3.1
? squashfs-4.6.1-150300.3.3.1
o SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (aarch64
x86_64)
? squashfs-debuginfo-4.6.1-150300.3.3.1
? squashfs-debugsource-4.6.1-150300.3.3.1
? squashfs-4.6.1-150300.3.3.1
o SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64
x86_64)
? squashfs-debuginfo-4.6.1-150300.3.3.1
? squashfs-debugsource-4.6.1-150300.3.3.1
? squashfs-4.6.1-150300.3.3.1
o SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 ppc64le s390x
x86_64)
? squashfs-debuginfo-4.6.1-150300.3.3.1
? squashfs-debugsource-4.6.1-150300.3.3.1
? squashfs-4.6.1-150300.3.3.1
o SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64)
? squashfs-debuginfo-4.6.1-150300.3.3.1
? squashfs-debugsource-4.6.1-150300.3.3.1
? squashfs-4.6.1-150300.3.3.1
o SUSE Manager Proxy 4.2 (x86_64)
? squashfs-debuginfo-4.6.1-150300.3.3.1
? squashfs-debugsource-4.6.1-150300.3.3.1
? squashfs-4.6.1-150300.3.3.1
o SUSE Manager Retail Branch Server 4.2 (x86_64)
? squashfs-debuginfo-4.6.1-150300.3.3.1
? squashfs-debugsource-4.6.1-150300.3.3.1
? squashfs-4.6.1-150300.3.3.1
o SUSE Manager Server 4.2 (ppc64le s390x x86_64)
? squashfs-debuginfo-4.6.1-150300.3.3.1
? squashfs-debugsource-4.6.1-150300.3.3.1
? squashfs-4.6.1-150300.3.3.1
o SUSE Enterprise Storage 7.1 (aarch64 x86_64)
? squashfs-debuginfo-4.6.1-150300.3.3.1
? squashfs-debugsource-4.6.1-150300.3.3.1
? squashfs-4.6.1-150300.3.3.1
o SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64)
? squashfs-debuginfo-4.6.1-150300.3.3.1
? squashfs-debugsource-4.6.1-150300.3.3.1
? squashfs-4.6.1-150300.3.3.1
o SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64)
? squashfs-debuginfo-4.6.1-150300.3.3.1
? squashfs-debugsource-4.6.1-150300.3.3.1
? squashfs-4.6.1-150300.3.3.1
o SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 s390x x86_64)
? squashfs-debuginfo-4.6.1-150300.3.3.1
? squashfs-debugsource-4.6.1-150300.3.3.1
? squashfs-4.6.1-150300.3.3.1
o openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64 i586)
? squashfs-debuginfo-4.6.1-150300.3.3.1
? squashfs-debugsource-4.6.1-150300.3.3.1
? squashfs-4.6.1-150300.3.3.1
o openSUSE Leap Micro 5.3 (aarch64 x86_64)
? squashfs-debuginfo-4.6.1-150300.3.3.1
? squashfs-debugsource-4.6.1-150300.3.3.1
? squashfs-4.6.1-150300.3.3.1
o openSUSE Leap Micro 5.4 (aarch64 s390x x86_64)
? squashfs-debuginfo-4.6.1-150300.3.3.1
? squashfs-debugsource-4.6.1-150300.3.3.1
? squashfs-4.6.1-150300.3.3.1
References:
o https://www.suse.com/security/cve/CVE-2015-4645.html
o https://www.suse.com/security/cve/CVE-2015-4646.html
o https://www.suse.com/security/cve/CVE-2021-40153.html
o https://www.suse.com/security/cve/CVE-2021-41072.html
o https://bugzilla.suse.com/show_bug.cgi?id=1189936
o https://bugzilla.suse.com/show_bug.cgi?id=1190531
o https://bugzilla.suse.com/show_bug.cgi?id=935380
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZWaSpckNZI30y1K9AQgfVBAAgB0hawxOn8RPIg0MuSkh9PfDfcstIlrN
CQnWQ4dA7JP9UMwxqylF0VaUc9XRKHFqaDVkfB4DYahTOz3LasG/2BQiejbzYrpP
+VfDH0jilRHWxCaFpY2YmhgAWjospK+iANnuVYqdUEl+STVTtKhqMOM+Tc93y4J2
LtzLNYg/wPKTEswGeV5vk6MK9rGIW5BIVMjKQnaSNvOjRwTTw0/CsQY6WD5TzG+1
GlER206vIqmPDEjxv0RuviEn6bYytUJGqog8OjBN0HPvUebRek74CuJiM47UV+4i
WT715doPfREtc1mhe7TsYf8VN6dix4hn/zC9hEshXh6xhF8tyg0hd7vuo4pvmfxJ
B5fLi1sfUV/7wbMGEjG3XkQb5Fnb5Ncgie82414xB3Xw3F/5iibE9dfur8qVPRKt
ngNb13GIoYmUBDm+4PfH6eN/HIEnPGwsLlAd0W5Rfoeh8sh+0zpasG81kXD6pn7W
PiWcbL5G5Jk9eaex8Gd4ibGB/KA90pao5ne5DCfEzUPu7DaurTSX5qpha4CKMzDK
rkC8Uxp1ziYJsPJrv/XcR+zrlJsMPRyUed7rlUoDbxEKdvEcFF900qarRozNRyTx
gWBLskBoaHHQ8PJBnTB4EaVmcHGUG4XrE/vNtdLzRi9p+Z9bORyooaDHfmjh9s5q
F4n1Qj/VH2U=
=zv73
-----END PGP SIGNATURE-----