Bug 8448

squashfs-tools-4.2-5.mga3 submitted to cauldron.

squashfs-tools-4.2-3.mga2 submitted to mga2 core/updates_testing.

Advisory:
This update to squasfs-tools resolves the following security issues:

remote arbitrary code execution via crafted list file (CVE-2012-4024)

integer overflow in queue_init() may lead to abitrary code execution
(CVE-2012-4025)


RPM:
squashfs-tools-4.2-3.mga2


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4024
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4025
http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094628.html
https://bugs.mageia.org/show_bug.cgi?id=8448

CC: (none) => tmb
Version: Cauldron => 2
Assignee: tmb => qa-bugs
Whiteboard: MGA2TOO => (none)

Patches from mga2 package synced into Mageia 1 SVN.

Digging through the bickering on the SF thread there is a PoC for CVE-2012-4024
http://sourceforge.net/mailarchive/message.php?msg_id=29559731

I can't reproduce the segfault though

$ mksquashfs test2 dir.test2
$ file dir.test2
dir.test2: Squashfs filesystem, little endian, version 4.0, 48560 bytes, 6 inodes, blocksize: 131072 bytes, created: Fri Jan  4 16:29:20 2013

$ unsquashfs dir.test2 -ef /$(perl -e 'print "A" x 2000')/
Parallel unsquashfs: Using 4 processors
0 inodes (0 blocks) to write


created 0 files
created 1 directories
created 0 symlinks
created 0 devices
created 0 fifos

CVE-2012-4025 seems more difficult to reproduce, needing a 'specially crafted' squashed filesystem.

Just testing the new squashfs-tools can squash and unsquash OK to validate.

Testing complete mga2 64

$ ls test3/
media_info/  perl-Config-IniFiles-2.750.0-1.mga2.noarch.rpm

$ mksquashfs test3 dir.test3
Parallel mksquashfs: Using 4 processors
Creating 4.0 filesystem on dir.test3, block size 131072.
[==================================================|] 4/4 100%
Exportable Squashfs 4.0 filesystem, xz compressed, data block size 131072
        compressed data, compressed metadata, compressed fragments, compressed xattrs
        duplicates are removed
Filesystem size 47.42 Kbytes (0.05 Mbytes)
        94.78% of uncompressed filesystem size (50.03 Kbytes)
Inode table size 138 bytes (0.13 Kbytes)
        71.13% of uncompressed inode table size (194 bytes)
Directory table size 156 bytes (0.15 Kbytes)
        100.00% of uncompressed directory table size (156 bytes)
Number of duplicate files found 0
Number of inodes 6
Number of files 4
Number of fragments 1
Number of symbolic links  0
Number of device nodes 0
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 2
Number of ids (unique uids + gids) 1
Number of uids 1
        claire (500)
Number of gids 1
        claire (500)

$ file dir.test3
dir.test3: Squashfs filesystem, little endian, version 4.0, 48560 bytes, 6 inodes, blocksize: 131072 bytes, created: Fri Jan  4 16:54:04 2013


$ unsquashfs dir.test3
Parallel unsquashfs: Using 4 processors
4 inodes (4 blocks) to write

[=====================================================|] 4/4 100%
created 4 files
created 2 directories
created 0 symlinks
created 0 devices
created 0 fifos

$ ls squashfs-root/
media_info/  perl-Config-IniFiles-2.750.0-1.mga2.noarch.rpm

Hardware: i586 => All
Whiteboard: (none) => has_procedure mga2-64-OK

Testing complete mga2 32

Validating

Advisory & SRPM in comment 1

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: has_procedure mga2-64-OK => has_procedure mga2-64-OK mga2-32-OK

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0001

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED