oss-sec mailing list archives
Re: CVE Request: Squashfs 4.2 Race Condition
From: Jihyeok Seo <limeburst () member fsf org>
Date: Thu, 31 Dec 2015 06:29:55 +0900
Privilege boundary crossing does not necessarily happen. However, since unsquashfs is often run with sudo (Squashfs filesystem containing files owned by root), it is a possibility. I do not know if this bug can lead to code execution. However, firmware upgrade procedures (remote or local) which uses unsquashfs, on devices such as network routers, could be crashed with an untrusted Squashfs filesystem image and lead to denial of service.
On Dec 31, 2015, at 5:37 AM, cve-assign () mitre org wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256A malformed Squashfs filesystem can cause a race condition in unsquashfs. This is caused by the decompress thread attempting to access a shared queue, resulting in a SIGSEGV. struct cache_entry *entry = queue_get(to_deflate);Do you have any information about a scenario in which this bug crosses a privilege boundary? Do you mean that, because of the details of the SIGSEGV, there's a reasonable likelihood of code execution when a victim runs unsquashfs on an untrusted SquashFS filesystem image? Other possibilities in which there could be a CVE ID assigned include: - if the affected unsquashfs code were also available as a library that was used to build a program that was supposed to remain running to handle multiple unsquash operations - if the affected unsquashfs code were also used to support a SquashFS filesystem that was mounted on a system, and an unprivileged user could crash the system by reading from the filesystem - (again for this use of the affected code) if a system exists that automatically mounts SquashFS filesystems found on removable media, and inserting removable media could crash the system - (again for this use of the affected code) maybe a scenario in which the SIGSEGV ultimately leads to disclosure of private data that wasn't contained in the SquashFS filesystem - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWhEAZAAoJEL54rhJi8gl51ikP/icQQJUyV/Zw43KeOs5BmVJg dWCI2KqVbhjDWW0esdrzL/LAzYMSvH+jXfNBZthzg2e5pFb3+YjkvKiejS5CZszT DTfWTFEfbjDKtIbrISqMAOM7SS9dCy3Zqu37VA1riqzpDRjD4PyoQTn5d95ck8Y9 1aPEEgkTv9Z+VbAv1ONvOK6vLeHXcyovkyXyBdJxPYoXXCQjn3CC6TAYW9HF9qrL AYgSLCogHI3e1PnjA+EHsBqRBYeh70nkH8yrYWj0WDxZFwmnMTb1p+KE5rOwJw/a Gpvq5cM4rtWdV//XFMdBsyg4q/hbJ1leY9W5invnAeeqe8wkVGuJCApS7neRB5pU TV9wvGudvn73hkE61yDSR6Hp2qUGcIYZ1FHK9+uSrYmO6zczJJy7F6lax90BmgWD bvJUvquYRCwV+OUWLMkN7vctY5BXTiM47wLIi6bJMUma65e3Q5TXHcBd6F3p8pCe 7OoNfuzqSDRU1FHz8oxuzLtVMIEzRT9sz9JMTo6ZtdLfzDZBet1qM9p9dXo8Nyej 2Kpm1jN2mlvlnHCQzN1XtweCM/eAbQaxM0/WZzhJ3ipIJQnMLCFSeZH7QS6BbuDC AAnHD8BIH70VYhmZrHLDaRrW08RYWtyaAdiJMeygsiFIxdNxpPUjmFOHHvElkzw1 LhwDS57lxKg9o5p1S+zH =riOK -----END PGP SIGNATURE-----
Current thread:
- CVE Request: Squashfs 4.2 Race Condition Jihyeok Seo (Dec 30)
- Re: CVE Request: Squashfs 4.2 Race Condition cve-assign (Dec 30)
- Re: CVE Request: Squashfs 4.2 Race Condition Jihyeok Seo (Dec 30)
- Re: Re: CVE Request: Squashfs 4.2 Race Condition Jeremy Stanley (Dec 31)
- Re: CVE Request: Squashfs 4.2 Race Condition Jihyeok Seo (Dec 30)
- Re: CVE Request: Squashfs 4.2 Race Condition cve-assign (Dec 30)