A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem. Upstream Issue: https://github.com/plougher/squashfs-tools/issues/72#issuecomment-913833405
Created squashfs-tools tracking bugs for this issue: Affects: fedora-all [bug 2004958]
Upstream fix : https://github.com/plougher/squashfs-tools/commit/e0485802ec72996c20026da320650d8362f555bd
It is fixed in f35 and rawhide. I need to wait one more day before I can move from testing to stable in f33 and f34. The previous security fix didn't get into f33, because I didn't wait for the previous update to get to stable there before creating the new update and the older update got obsoleted.
The fixed version is now in all current versions of Fedora.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2396 https://access.redhat.com/errata/RHSA-2024:2396
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3139 https://access.redhat.com/errata/RHSA-2024:3139