Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2012-4025 squashfs-tools: integer overflow in queue_init() may lead to abitrary code execution|
|Product:||[Other] Security Response||Reporter:||Vincent Danen <vdanen>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||NEW ---||QA Contact:|
|Version:||unspecified||CC:||bruno, peterm, phillip.lougher, plougher, tcallawa|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2012-12-13 08:11:23 EST||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||847270|
Description Vincent Danen 2012-07-23 18:29:57 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-4025 to the following vulnerability: Name: CVE-2012-4025 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4025 Assigned: 20120716 Reference: http://sourceforge.net/mailarchive/forum.php?thread_name=CAAoG81HL9oP8roPLLhftTSXTzSD%2BZcR66PRkVU%3Df76W3Mjde_w%40mail.gmail.com&forum_name=squashfs-devel Reference: OSVDB:83899 Reference: http://www.osvdb.org/83899 Integer overflow in the queue_init function in unsquashfs.c in unsquashfs in Squashfs 4.2 and earlier allows remote attackers to execute arbitrary code via a crafted block_log field in the superblock of a .sqsh file, leading to a heap-based buffer overflow.
Comment 1 Bruno Wolff III 2012-07-23 22:47:02 EDT
I'll keep an eye out for patches for this. Based on the discussion on the source forge list, I don't think anything is likely to happen soon. Phillip considers the two recent bugs to be relatively minor (I think that assessment is correct), he doesn't have a lot of time right now and the reporter has irked him. There appear to be fixes to check for other kinds of corruption queued up that may also cause similar issues. I have been keeping an eye out for a 4.3 release, as I am not sure what shape Phillip considers the current trunk to be in. If people think this really warrants a relatively rapid response I can look into seeing if I can find or make fixes?
Comment 2 Stefan Cornelius 2012-07-27 05:59:38 EDT
RHEL5 is not affected, as it does not support parallel processing and does not use queues.
Comment 4 Stefan Cornelius 2012-08-10 07:07:04 EDT
Created squashfs-tools tracking bugs for this issue Affects: fedora-all [bug 847270]
Comment 5 Stefan Cornelius 2012-08-17 04:59:37 EDT
Statement: The Red Hat Security Response Team has rated this issue as having moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. This issue did not affect the versions of squashfs-tools as shipped with Red Hat Enterprise Linux 5 as they did not include support for parallel processing and do not make use of queues.
Comment 6 Bruno Wolff III 2012-11-25 16:57:10 EST
There is an upstream commit for this. I am looking at backporting it now. http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=squashfs/squashfs;a=commit;h=8515b3d420f502c5c0236b86e2d6d7e3b23c190e
Comment 7 Bruno Wolff III 2012-11-25 20:04:59 EST
I have updates for rawhide, f16, f17 and f18.
Comment 8 Fedora Update System 2012-12-11 19:17:45 EST
squashfs-tools-4.2-5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-12-13 00:55:58 EST
squashfs-tools-4.2-5.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2012-12-13 00:58:27 EST
squashfs-tools-4.2-5.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Bruno Wolff III 2012-12-13 08:11:23 EST
Note that squashfs tools 4.3 is due out in a few weeks and will have fixes for a number of potential issues with handling bad data.
Comment 12 Vincent Danen 2012-12-20 16:17:24 EST
Please don't close SRT bugs; this needs to remain open for RHEL6 where it is deferred.
Comment 13 Bruno Wolff III 2012-12-20 16:30:38 EST
Should I have closed 847270 now that all of the Fedora instances have fixes?
Comment 14 Vincent Danen 2012-12-20 17:04:35 EST
Yeah, closing the Fedora bug would be good. Thanks.