{ "document": { "aggregate_severity": { "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2021-41072: fix squashfs_opendir directory traversal vulnerability by\n restricting unsquashfs write operations", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/almalinux9.2esu/advisories/2025/clsa-2025_1751888935.json" }, { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2025:1751888935", "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1751888935" } ], "tracking": { "current_release_date": "2026-02-16T09:27:52Z", "generator": { "date": "2026-02-16T09:27:52Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2025:1751888935", "initial_release_date": "2025-07-07T11:49:26Z", "revision_history": [ { "date": "2025-07-07T11:49:26Z", "number": "1", "summary": "Initial version" }, { "date": "2026-02-16T09:27:52Z", "number": "2", "summary": "Update document" } ], "status": "final", "version": "2" }, "title": "squashfs-tools: Fix of CVE-2021-41072" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.2", "product": { "name": "AlmaLinux 9.2", "product_id": "AlmaLinux-9.2", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "squashfs-tools-0:4.4-8.git1.el9.tuxcare.els2.x86_64", "product": { "name": "squashfs-tools-0:4.4-8.git1.el9.tuxcare.els2.x86_64", "product_id": "squashfs-tools-0:4.4-8.git1.el9.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/squashfs-tools@4.4-8.git1.el9.tuxcare.els2?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "squashfs-tools-0:4.4-8.git1.el9.tuxcare.els2.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:squashfs-tools-0:4.4-8.git1.el9.tuxcare.els2.x86_64" }, "product_reference": "squashfs-tools-0:4.4-8.git1.el9.tuxcare.els2.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-41072", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" }, "notes": [ { "category": "description", "text": "squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:squashfs-tools-0:4.4-8.git1.el9.tuxcare.els2.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2021-41072" }, { "category": "external", "summary": "https://github.com/plougher/squashfs-tools/commit/e0485802ec72996c20026da320650d8362f555bd", "url": "https://github.com/plougher/squashfs-tools/commit/e0485802ec72996c20026da320650d8362f555bd" }, { "category": "external", "summary": "https://github.com/plougher/squashfs-tools/issues/72#issuecomment-913833405", "url": "https://github.com/plougher/squashfs-tools/issues/72#issuecomment-913833405" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2021/10/msg00017.html", "url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00017.html" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/202305-29", "url": "https://security.gentoo.org/glsa/202305-29" }, { "category": "external", "summary": "https://www.debian.org/security/2021/dsa-4987", "url": "https://www.debian.org/security/2021/dsa-4987" } ], "release_date": "2021-09-14T01:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-07-07T11:48:57Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1751888935", "product_ids": [ "AlmaLinux-9.2:squashfs-tools-0:4.4-8.git1.el9.tuxcare.els2.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1751888935" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:squashfs-tools-0:4.4-8.git1.el9.tuxcare.els2.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] } ] }