A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem.
Created squashfs-tools tracking bugs for this issue:
Affects: fedora-all [bug 2004958]
Upstream fix :
It is fixed in f35 and rawhide. I need to wait one more day before I can move from testing to stable in f33 and f34. The previous security fix didn't get into f33, because I didn't wait for the previous update to get to stable there before creating the new update and the older update got obsoleted.
The fixed version is now in all current versions of Fedora.