VDB
GCVE-VVD-MAGEIA-2022-10
GCVE-VVD-MAGEIA-2022-10
Advisory Published
squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename
in the directory entry; this is then used by unsquashfs to create the new
file during the unsquash. The filename is not validated for traversal
outside of the destination directory, and thus allows writing to locations
outside of the destination. (CVE-2021-40153)
squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory
Traversal, a different vulnerability than CVE-2021-40153. A squashfs
filesystem that has been crafted to include a symbolic link and then
contents under the same filename in a filesystem can cause unsquashfs to
first create the symbolic link pointing outside the expected directory,
and then the subsequent write operation will cause the unsquashfs process
to write through the symbolic link elsewhere in the filesystem.
(CVE-2021-41072)
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Mageia | gcompris-qt | 0 (affected), 2.0-1.mga8 (unaffected) | — |
| Mageia | squashfs-tools | 0 (affected), 4.5-1.git5ae723.1.mga8 (unaffected), 0 (affected), 4.5-1.git5ae723.1.mga8 (unaffected) | — |
References
Browse GCVE Records
100 records in the GCVE database · Updated April 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.