Red Hat Bugzilla – Bug 842460
CVE-2012-4025 squashfs-tools: integer overflow in queue_init() may lead to abitrary code execution
Last modified: 2016-03-04 07:54:07 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-4025 to
the following vulnerability:
Integer overflow in the queue_init function in unsquashfs.c in
unsquashfs in Squashfs 4.2 and earlier allows remote attackers to
execute arbitrary code via a crafted block_log field in the superblock
of a .sqsh file, leading to a heap-based buffer overflow.
I'll keep an eye out for patches for this. Based on the discussion on the source forge list, I don't think anything is likely to happen soon. Phillip considers the two recent bugs to be relatively minor (I think that assessment is correct), he doesn't have a lot of time right now and the reporter has irked him.
There appear to be fixes to check for other kinds of corruption queued up that may also cause similar issues. I have been keeping an eye out for a 4.3 release, as I am not sure what shape Phillip considers the current trunk to be in.
If people think this really warrants a relatively rapid response I can look into seeing if I can find or make fixes?
RHEL5 is not affected, as it does not support parallel processing and does not use queues.
Created squashfs-tools tracking bugs for this issue
Affects: fedora-all [bug 847270]
The Red Hat Security Response Team has rated this issue as having moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
This issue did not affect the versions of squashfs-tools as shipped with Red Hat Enterprise Linux 5 as they did not include support for parallel processing and do not make use of queues.
There is an upstream commit for this. I am looking at backporting it now.
I have updates for rawhide, f16, f17 and f18.
squashfs-tools-4.2-5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
squashfs-tools-4.2-5.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
squashfs-tools-4.2-5.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Note that squashfs tools 4.3 is due out in a few weeks and will have fixes for a number of potential issues with handling bad data.
Please don't close SRT bugs; this needs to remain open for RHEL6 where it is deferred.
Should I have closed 847270 now that all of the Fedora instances have fixes?
Yeah, closing the Fedora bug would be good. Thanks.