Bug 842460 - (CVE-2012-4025) CVE-2012-4025 squashfs-tools: integer overflow in queue_init() may lead to abitrary code execution
CVE-2012-4025 squashfs-tools: integer overflow in queue_init() may lead to ab...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 847270
Blocks: 842461
  Show dependency treegraph
Reported: 2012-07-23 18:29 EDT by Vincent Danen
Modified: 2016-03-04 07:54 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-12-13 08:11:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-07-23 18:29:57 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-4025 to
the following vulnerability:

Name: CVE-2012-4025
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4025
Assigned: 20120716
Reference: http://sourceforge.net/mailarchive/forum.php?thread_name=CAAoG81HL9oP8roPLLhftTSXTzSD%2BZcR66PRkVU%3Df76W3Mjde_w%40mail.gmail.com&forum_name=squashfs-devel
Reference: OSVDB:83899
Reference: http://www.osvdb.org/83899

Integer overflow in the queue_init function in unsquashfs.c in
unsquashfs in Squashfs 4.2 and earlier allows remote attackers to
execute arbitrary code via a crafted block_log field in the superblock
of a .sqsh file, leading to a heap-based buffer overflow.
Comment 1 Bruno Wolff III 2012-07-23 22:47:02 EDT
I'll keep an eye out for patches for this. Based on the discussion on the source forge list, I don't think anything is likely to happen soon. Phillip considers the two recent bugs to be relatively minor (I think that assessment is correct), he doesn't have a lot of time right now and the reporter has irked him.
There appear to be fixes to check for other kinds of corruption queued up that may also cause similar issues. I have been keeping an eye out for a 4.3 release, as I am not sure what shape Phillip considers the current trunk to be in.

If people think this really warrants a relatively rapid response I can look into seeing if I can find or make fixes?
Comment 2 Stefan Cornelius 2012-07-27 05:59:38 EDT
RHEL5 is not affected, as it does not support parallel processing and does not use queues.
Comment 4 Stefan Cornelius 2012-08-10 07:07:04 EDT
Created squashfs-tools tracking bugs for this issue

Affects: fedora-all [bug 847270]
Comment 5 Stefan Cornelius 2012-08-17 04:59:37 EDT

The Red Hat Security Response Team has rated this issue as having moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

This issue did not affect the versions of squashfs-tools as shipped with Red Hat Enterprise Linux 5 as they did not include support for parallel processing and do not make use of queues.
Comment 6 Bruno Wolff III 2012-11-25 16:57:10 EST
There is an upstream commit for this. I am looking at backporting it now.
Comment 7 Bruno Wolff III 2012-11-25 20:04:59 EST
I have updates for rawhide, f16, f17 and f18.
Comment 8 Fedora Update System 2012-12-11 19:17:45 EST
squashfs-tools-4.2-5.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-12-13 00:55:58 EST
squashfs-tools-4.2-5.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2012-12-13 00:58:27 EST
squashfs-tools-4.2-5.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Bruno Wolff III 2012-12-13 08:11:23 EST
Note that squashfs tools 4.3 is due out in a few weeks and will have fixes for a number of potential issues with handling bad data.
Comment 12 Vincent Danen 2012-12-20 16:17:24 EST
Please don't close SRT bugs; this needs to remain open for RHEL6 where it is deferred.
Comment 13 Bruno Wolff III 2012-12-20 16:30:38 EST
Should I have closed 847270 now that all of the Fedora instances have fixes?
Comment 14 Vincent Danen 2012-12-20 17:04:35 EST
Yeah, closing the Fedora bug would be good.  Thanks.

Note You need to log in before you can comment on or make changes to this bug.