Debian 10261 Published by

A squashfs-tools security update has been released for Debian GNU/Linux 8 Extended LTS to address a flaw that allows an attacker to write arbitrary files to the filesystem.



ELA-497-1 squashfs-tools security update


Package squashfs-tools
Version 1:4.2+20130409-2+deb8u2
Related CVEs CVE-2021-41072

Richard Weinberger reported that unsquashfs in squashfs-tools, the tools to create and extract Squashfs filesystems, does not check for duplicate filenames within a directory. An attacker can take advantage of this flaw for writing to arbitrary files to the filesystem if a malformed Squashfs image is processed.

For Debian 8 jessie, these problems have been fixed in version 1:4.2+20130409-2+deb8u2.

We recommend that you upgrade your squashfs-tools packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-497-1 squashfs-tools security update