Description
squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash. The filename is not validated for traversal outside of the destination directory, and thus allows writing to locations outside of the destination.
References (8)
Core 8
Core References
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAOZ4BKWAC4Y3U2K5MMW3S77HWWXHQDL/
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2021/08/msg00030.html
Third Party Advisory vendor-advisory
https://www.debian.org/security/2021/dsa-4967
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GSMRKVJMJFX3MB7D3PXJSYY3TLZROE5S/
Third Party Advisory
https://bugs.launchpad.net/ubuntu/+source/squashfs-tools/+bug/1941790
Patch, Third Party Advisory
https://github.com/plougher/squashfs-tools/commit/79b5a555058eef4e1e7ff220c344d39f8cd09646
Exploit, Third Party Advisory
https://github.com/plougher/squashfs-tools/issues/72
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202305-29
Scores
CVSS v3
8.1
EPSS
0.0054
EPSS Percentile
67.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Details
CWE
CWE-22
Status
published
Products (7)
debian/debian_linux
9.0
debian/debian_linux
10.0
fedoraproject/fedora
34
fedoraproject/fedora
33
redhat/enterprise_linux
7.0
redhat/enterprise_linux
8.0
squashfs-tools_project/squashfs-tools
4.5
Published
Aug 27, 2021
Tracked Since
Feb 18, 2026