CVE-2012-4024Out-of-bounds Write in Squashfs-tools

CWE-787Out-of-bounds Write7 documents6 sources
Severity
6.8MEDIUMNVD
EPSS
2.3%
top 15.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Squashfs-tools Project Squashfs-toolsDebian Squashfs-toolsSquashfs Project Squashfs
Timeline
PublishedJul 19
Latest updateMay 13

Description

Stack-based buffer overflow in the get_component function in unsquashfs.c in unsquashfs in Squashfs 4.2 and earlier allows remote attackers to execute arbitrary code via a crafted list file (aka a crafted file for the -ef option). NOTE: probably in most cases, the list file is a trusted file constructed by the program's user; however, there are some realistic situations in which a list file would be obtained from an untrusted remote source.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages3 packages

debiandebian/squashfs-tools< squashfs-tools 1:4.2+20121212-1 (bookworm)
Debiansquashfs-tools_project/squashfs-tools< 1:4.2+20121212-1+3

🔴Vulnerability Details

2
GHSA
GHSA-r5cx-4556-w7x7: Stack-based buffer overflow in the get_component function in unsquashfs2022-05-13
OSV
CVE-2012-4024: Stack-based buffer overflow in the get_component function in unsquashfs2012-07-19

📋Vendor Advisories

2
Red Hat
squashfs-tools: remote arbitrary code execution via crafted list file2012-07-18
Debian
CVE-2012-4024: squashfs-tools - Stack-based buffer overflow in the get_component function in unsquashfs.c in uns...2012

💬Community

2
Bugzilla
CVE-2012-4024 CVE-2012-4025 squashfs-tools various flaws [fedora-all]2012-08-10
Bugzilla
CVE-2012-4024 squashfs-tools: remote arbitrary code execution via crafted list file2012-07-23