Bug 8448 - squashfs-tools new security issues CVE-2012-4024 and CVE-2012-4025
: squashfs-tools new security issues CVE-2012-4024 and CVE-2012-4025
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/529991/
: has_procedure mga2-64-OK mga2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-12-20 17:23 CET by David Walser
Modified: 2013-01-05 19:34 CET (History)
2 users (show)

See Also:
Source RPM: squashfs-tools-4.2-4.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-12-20 17:23:13 CET
Fedora has issued an advisory on November 28:
http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094628.html

Mageia 2 may also be affected.
Comment 1 Thomas Backlund 2013-01-03 17:54:36 CET
squashfs-tools-4.2-5.mga3 submitted to cauldron.

squashfs-tools-4.2-3.mga2 submitted to mga2 core/updates_testing.

Advisory:
This update to squasfs-tools resolves the following security issues:

remote arbitrary code execution via crafted list file (CVE-2012-4024)

integer overflow in queue_init() may lead to abitrary code execution
(CVE-2012-4025)


RPM:
squashfs-tools-4.2-3.mga2


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4024
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4025
http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094628.html
https://bugs.mageia.org/show_bug.cgi?id=8448
Comment 2 David Walser 2013-01-03 20:12:09 CET
Patches from mga2 package synced into Mageia 1 SVN.
Comment 3 claire robinson 2013-01-04 17:51:29 CET
Digging through the bickering on the SF thread there is a PoC for CVE-2012-4024
http://sourceforge.net/mailarchive/message.php?msg_id=29559731

I can't reproduce the segfault though

$ mksquashfs test2 dir.test2
$ file dir.test2
dir.test2: Squashfs filesystem, little endian, version 4.0, 48560 bytes, 6 inodes, blocksize: 131072 bytes, created: Fri Jan  4 16:29:20 2013

$ unsquashfs dir.test2 -ef /$(perl -e 'print "A" x 2000')/
Parallel unsquashfs: Using 4 processors
0 inodes (0 blocks) to write


created 0 files
created 1 directories
created 0 symlinks
created 0 devices
created 0 fifos

CVE-2012-4025 seems more difficult to reproduce, needing a 'specially crafted' squashed filesystem.

Just testing the new squashfs-tools can squash and unsquash OK to validate.
Comment 4 claire robinson 2013-01-04 18:00:49 CET
Testing complete mga2 64

$ ls test3/
media_info/  perl-Config-IniFiles-2.750.0-1.mga2.noarch.rpm

$ mksquashfs test3 dir.test3
Parallel mksquashfs: Using 4 processors
Creating 4.0 filesystem on dir.test3, block size 131072.
[==================================================|] 4/4 100%
Exportable Squashfs 4.0 filesystem, xz compressed, data block size 131072
        compressed data, compressed metadata, compressed fragments, compressed xattrs
        duplicates are removed
Filesystem size 47.42 Kbytes (0.05 Mbytes)
        94.78% of uncompressed filesystem size (50.03 Kbytes)
Inode table size 138 bytes (0.13 Kbytes)
        71.13% of uncompressed inode table size (194 bytes)
Directory table size 156 bytes (0.15 Kbytes)
        100.00% of uncompressed directory table size (156 bytes)
Number of duplicate files found 0
Number of inodes 6
Number of files 4
Number of fragments 1
Number of symbolic links  0
Number of device nodes 0
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 2
Number of ids (unique uids + gids) 1
Number of uids 1
        claire (500)
Number of gids 1
        claire (500)

$ file dir.test3
dir.test3: Squashfs filesystem, little endian, version 4.0, 48560 bytes, 6 inodes, blocksize: 131072 bytes, created: Fri Jan  4 16:54:04 2013


$ unsquashfs dir.test3
Parallel unsquashfs: Using 4 processors
4 inodes (4 blocks) to write

[=====================================================|] 4/4 100%
created 4 files
created 2 directories
created 0 symlinks
created 0 devices
created 0 fifos

$ ls squashfs-root/
media_info/  perl-Config-IniFiles-2.750.0-1.mga2.noarch.rpm
Comment 5 claire robinson 2013-01-04 18:08:42 CET
Testing complete mga2 32

Validating

Advisory & SRPM in comment 1

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 6 Thomas Backlund 2013-01-05 19:34:12 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0001

Note You need to log in before you can comment on or make changes to this bug.