Bug 842460 (CVE-2012-4025)

Summary: CVE-2012-4025 squashfs-tools: integer overflow in queue_init() may lead to abitrary code execution
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bruno, peterm, phillip.lougher, plougher, tcallawa
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20120718,reported=20120719,source=oss-security,cvss2=5.1/AV:N/AC:H/Au:N/C:P/I:P/A:P,fedora-all/squashfs-tools=affected,rhel-6/squashfs-tools=defer,rhel-5/squashfs-tools=notaffected,cwe=CWE-190[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-13 08:11:23 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 847270    
Bug Blocks: 842461    

Description Vincent Danen 2012-07-23 18:29:57 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-4025 to
the following vulnerability:

Name: CVE-2012-4025
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4025
Assigned: 20120716
Reference: http://sourceforge.net/mailarchive/forum.php?thread_name=CAAoG81HL9oP8roPLLhftTSXTzSD%2BZcR66PRkVU%3Df76W3Mjde_w%40mail.gmail.com&forum_name=squashfs-devel
Reference: OSVDB:83899
Reference: http://www.osvdb.org/83899

Integer overflow in the queue_init function in unsquashfs.c in
unsquashfs in Squashfs 4.2 and earlier allows remote attackers to
execute arbitrary code via a crafted block_log field in the superblock
of a .sqsh file, leading to a heap-based buffer overflow.
Comment 1 Bruno Wolff III 2012-07-23 22:47:02 EDT
I'll keep an eye out for patches for this. Based on the discussion on the source forge list, I don't think anything is likely to happen soon. Phillip considers the two recent bugs to be relatively minor (I think that assessment is correct), he doesn't have a lot of time right now and the reporter has irked him.
There appear to be fixes to check for other kinds of corruption queued up that may also cause similar issues. I have been keeping an eye out for a 4.3 release, as I am not sure what shape Phillip considers the current trunk to be in.

If people think this really warrants a relatively rapid response I can look into seeing if I can find or make fixes?
Comment 2 Stefan Cornelius 2012-07-27 05:59:38 EDT
RHEL5 is not affected, as it does not support parallel processing and does not use queues.
Comment 4 Stefan Cornelius 2012-08-10 07:07:04 EDT
Created squashfs-tools tracking bugs for this issue

Affects: fedora-all [bug 847270]
Comment 5 Stefan Cornelius 2012-08-17 04:59:37 EDT

The Red Hat Security Response Team has rated this issue as having moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

This issue did not affect the versions of squashfs-tools as shipped with Red Hat Enterprise Linux 5 as they did not include support for parallel processing and do not make use of queues.
Comment 6 Bruno Wolff III 2012-11-25 16:57:10 EST
There is an upstream commit for this. I am looking at backporting it now.
Comment 7 Bruno Wolff III 2012-11-25 20:04:59 EST
I have updates for rawhide, f16, f17 and f18.
Comment 8 Fedora Update System 2012-12-11 19:17:45 EST
squashfs-tools-4.2-5.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-12-13 00:55:58 EST
squashfs-tools-4.2-5.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2012-12-13 00:58:27 EST
squashfs-tools-4.2-5.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Bruno Wolff III 2012-12-13 08:11:23 EST
Note that squashfs tools 4.3 is due out in a few weeks and will have fixes for a number of potential issues with handling bad data.
Comment 12 Vincent Danen 2012-12-20 16:17:24 EST
Please don't close SRT bugs; this needs to remain open for RHEL6 where it is deferred.
Comment 13 Bruno Wolff III 2012-12-20 16:30:38 EST
Should I have closed 847270 now that all of the Fedora instances have fixes?
Comment 14 Vincent Danen 2012-12-20 17:04:35 EST
Yeah, closing the Fedora bug would be good.  Thanks.