A squashfs-tools security update has been released for Debian GNU/Linux 8 Extended LTS to address a flaw that allows an attacker to write arbitrary files to the filesystem.
ELA-497-1 squashfs-tools security update
ELA-497-1 squashfs-tools security update
Package squashfs-tools
Version 1:4.2+20130409-2+deb8u2
Related CVEs CVE-2021-41072
Richard Weinberger reported that unsquashfs in squashfs-tools, the tools to create and extract Squashfs filesystems, does not check for duplicate filenames within a directory. An attacker can take advantage of this flaw for writing to arbitrary files to the filesystem if a malformed Squashfs image is processed.
For Debian 8 jessie, these problems have been fixed in version 1:4.2+20130409-2+deb8u2.
We recommend that you upgrade your squashfs-tools packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
