Bug 773015

Summary: squashfs: two overflows in the squashfs builder
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Torsten Duwe <duwe>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2012-07-25 13:46:22 UTC 
is public, via oss-sec


CVE-2012-4024 and CVE-2012-4025

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4024
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4025

We wanted to mention these two recent open-source CVEs here because
the upstream vendor expressed a position that the issues don't qualify
for CVE inclusion, and indicated that he often uses CVE in his work on
code unrelated to Squashfs.

This post isn't meant to suggest any level of urgency for Linux
distributions to produce new Squashfs packages. It's conceivable that
actual exploitation of these vulnerabilities will never occur
anywhere.

Although Squashfs is a Linux filesystem, these two CVEs are about a
utility program that is, in some ways, similar to tar or other archive
programs. In general, if an archive file might be obtained from an
untrusted remote source, and crafted data within the archive file
potentially leads to arbitrary code execution during extraction, the
issue can be included in CVE. There are many CVEs in this category
(e.g., see CVE 2011-1777 and CVE 2011-1778 in RHSA-2011:1507-1).
CVE 2012-4025 also fits into this category.

CVE 2012-4024 is different because the crafted data isn't in the
archive file. Specifically, the crafted data must be in a list file
that's similar to the list file used with the "tar -T" option. One
threat model is that an attacker announces 'We have created an example
of our project as a squashfs filesystem. The downloadable files are
myproject.sqsh and myproject.list. If you only want the source code,
you can extract it by running the "unsquashfs myproject.sqsh -ef
myproject.list" command.' If myproject.list is long enough (e.g.,
thousands of lines with reasonable source-code filenames and one line
with exploit code), probably most people wouldn't notice that the file
isn't legitimate.

Some similar issues involving archive programs don't qualify for CVE
inclusion because there is no plausible threat model. Ones that are
proposed occasionally include situations where a crafted filename must
be entered on the command line, and situations where the victim must
use a crafted configuration file.

--
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/obtain_id.html ]
Comment 1 Marcus Meissner 2012-07-25 13:46:47 UTC 
(no update required, mostly for tracking purposes and factory)
Comment 2 Torsten Duwe 2013-12-18 13:26:55 UTC 
http://sourceforge.net/mailarchive/message.php?msg_id=29558897 :
| These are minor vulnerabilities which are difficult to trigger, in
| code which has been there since at least 2006  (one has been there
| since 2002).  As such I consider them fairly low priority.
| Phillip

meanwhile fixed in sf.net git
Comment 3 Sebastian Krahmer 2013-12-18 15:08:19 UTC 
So I guess it can be closed?
Comment 4 Torsten Duwe 2014-04-02 11:48:00 UTC 
No. Phillip is quite active, but does not make new releases :-(
We're still shipping an unpatched 4.2 release from 2011.

I'd like to see this turned into an OBS _service, but with the current
"policies" I'm really loath to do it.
Comment 5 Torsten Duwe 2014-05-16 12:34:35 UTC 
Rejoice! There's sqashfs 4.3!
Comment 6 Torsten Duwe 2014-05-16 13:21:23 UTC 
now in OBS:filesystems.