2 files changed, 257 insertions, 1 deletions
diff --git a/meta/recipes-devtools/squashfs-tools/files/CVE-2021-40153.patch b/meta/recipes-devtools/squashfs-tools/files/CVE-2021-40153.patch
new file mode 100644
index 0000000000..95e2534ee4
--- /dev/null
+++ b/meta/recipes-devtools/squashfs-tools/files/CVE-2021-40153.patch
@@ -0,0 +1,253 @@
+Backport patch to fix CVE-2021-40153, and remove version update in unsquashfs.c
+for compatible.
+Upstream-Status: Backport [https://github.com/plougher/squashfs-tools/commit/79b5a55]
+CVE: CVE-2021-40153
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+From 79b5a555058eef4e1e7ff220c344d39f8cd09646 Mon Sep 17 00:00:00 2001
+From: Phillip Lougher <phillip@squashfs.org.uk>
+Date: Sat, 16 Jan 2021 20:08:55 +0000
+Subject: [PATCH] Unsquashfs: fix write outside destination directory exploit
+An issue on Github (https://github.com/plougher/squashfs-tools/issues/72)
+shows how some specially crafted Squashfs filesystems containing
+invalid file names (with '/' and ..) can cause Unsquashfs to write
+files outside of the destination directory.
+This commit fixes this exploit by checking all names for
+validity.
+In doing so I have also added checks for '.' and for names that
+are shorter than they should be (names in the file system should
+not have '\0' terminators).
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+---
+ squashfs-tools/Makefile        |  5 ++-
+ squashfs-tools/unsquash-1.c    |  9 +++++-
+ squashfs-tools/unsquash-1234.c | 58 ++++++++++++++++++++++++++++++++++
+ squashfs-tools/unsquash-2.c    |  9 +++++-
+ squashfs-tools/unsquash-3.c    |  9 +++++-
+ squashfs-tools/unsquash-4.c    |  9 +++++-
+ squashfs-tools/unsquashfs.h    |  5 ++-
+ 7 files changed, 98 insertions(+), 6 deletions(-)
+ create mode 100644 squashfs-tools/unsquash-1234.c
+diff --git a/squashfs-tools/Makefile b/squashfs-tools/Makefile
+index aee4b960..20feaca2 100644
+--- a/squashfs-tools/Makefile
+++ b/squashfs-tools/Makefile
+@@ -156,7 +156,8 @@ MKSQUASHFS_OBJS = mksquashfs.o read_fs.o action.o swap.o pseudo.o compressor.o \
+        caches-queues-lists.o
+ 
+ UNSQUASHFS_OBJS = unsquashfs.o unsquash-1.o unsquash-2.o unsquash-3.o \
+-       unsquash-4.o unsquash-123.o unsquash-34.o swap.o compressor.o unsquashfs_info.o
+       unsquash-4.o unsquash-123.o unsquash-34.o unsquash-1234.o swap.o \
+       compressor.o unsquashfs_info.o
+ 
+ CFLAGS ?= -O2
+ CFLAGS += $(EXTRA_CFLAGS) $(INCLUDEDIR) -D_FILE_OFFSET_BITS=64 \
+@@ -350,6 +351,8 @@ unsquash-123.o: unsquashfs.h unsquash-123.c squashfs_fs.h squashfs_compat.h
+ 
+ unsquash-34.o: unsquashfs.h unsquash-34.c
+ 
+unsquash-1234.o: unsquash-1234.c
+
+ unsquashfs_xattr.o: unsquashfs_xattr.c unsquashfs.h squashfs_fs.h xattr.h
+ 
+ unsquashfs_info.o: unsquashfs.h squashfs_fs.h
+diff --git a/squashfs-tools/unsquash-1.c b/squashfs-tools/unsquash-1.c
+index 34eced36..28326cb1 100644
+--- a/squashfs-tools/unsquash-1.c
+++ b/squashfs-tools/unsquash-1.c
+@@ -2,7 +2,7 @@
+  * Unsquash a squashfs filesystem.  This is a highly compressed read only
+  * filesystem.
+  *
+- * Copyright (c) 2009, 2010, 2011, 2012, 2019
+ * Copyright (c) 2009, 2010, 2011, 2012, 2019, 2021
+  * Phillip Lougher <phillip@squashfs.org.uk>
+  *
+  * This program is free software; you can redistribute it and/or
+@@ -285,6 +285,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
+                        memcpy(dire->name, directory_table + bytes,
+                                dire->size + 1);
+                        dire->name[dire->size + 1] = '\0';
+
+                       /* check name for invalid characters (i.e /, ., ..) */
+                       if(check_name(dire->name, dire->size + 1) == FALSE) {
+                               ERROR("File system corrupted: invalid characters in name\n");
+                               goto corrupted;
+                       }
+
+                        TRACE("squashfs_opendir: directory entry %s, inode "
+                                "%d:%d, type %d\n", dire->name,
+                                dirh.start_block, dire->offset, dire->type);
+diff --git a/squashfs-tools/unsquash-1234.c b/squashfs-tools/unsquash-1234.c
+new file mode 100644
+index 00000000..c2d4f42b
+--- /dev/null
+++ b/squashfs-tools/unsquash-1234.c
+@@ -0,0 +1,58 @@
+/*
+ * Unsquash a squashfs filesystem.  This is a highly compressed read only
+ * filesystem.
+ *
+ * Copyright (c) 2021
+ * Phillip Lougher <phillip@squashfs.org.uk>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2,
+ * or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * unsquash-1234.c
+ *
+ * Helper functions used by unsquash-1, unsquash-2, unsquash-3 and
+ * unsquash-4.
+ */
+
+#define TRUE 1
+#define FALSE 0
+/*
+ * Check name for validity, name should not
+ *  - be ".", "./", or
+ *  - be "..", "../" or
+ *  - have a "/" anywhere in the name, or
+ *  - be shorter than the expected size
+ */
+int check_name(char *name, int size)
+{
+       char *start = name;
+
+       if(name[0] == '.') {
+               if(name[1] == '.')
+                       name++;
+               if(name[1] == '/' || name[1] == '\0')
+                       return FALSE;
+       }
+
+       while(name[0] != '/' && name[0] != '\0')
+               name ++;
+
+       if(name[0] == '/')
+               return FALSE;
+
+       if((name - start) != size)
+               return FALSE;
+
+       return TRUE;
+}
+diff --git a/squashfs-tools/unsquash-2.c b/squashfs-tools/unsquash-2.c
+index 4b3d767e..474064e1 100644
+--- a/squashfs-tools/unsquash-2.c
+++ b/squashfs-tools/unsquash-2.c
+@@ -2,7 +2,7 @@
+  * Unsquash a squashfs filesystem.  This is a highly compressed read only
+  * filesystem.
+  *
+- * Copyright (c) 2009, 2010, 2013, 2019
+ * Copyright (c) 2009, 2010, 2013, 2019, 2021
+  * Phillip Lougher <phillip@squashfs.org.uk>
+  *
+  * This program is free software; you can redistribute it and/or
+@@ -386,6 +386,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
+                        memcpy(dire->name, directory_table + bytes,
+                                dire->size + 1);
+                        dire->name[dire->size + 1] = '\0';
+
+                       /* check name for invalid characters (i.e /, ., ..) */
+                       if(check_name(dire->name, dire->size + 1) == FALSE) {
+                               ERROR("File system corrupted: invalid characters in name\n");
+                               goto corrupted;
+                       }
+
+                        TRACE("squashfs_opendir: directory entry %s, inode "
+                                "%d:%d, type %d\n", dire->name,
+                                dirh.start_block, dire->offset, dire->type);
+diff --git a/squashfs-tools/unsquash-3.c b/squashfs-tools/unsquash-3.c
+index 02c31fc5..65cfe4d9 100644
+--- a/squashfs-tools/unsquash-3.c
+++ b/squashfs-tools/unsquash-3.c
+@@ -2,7 +2,7 @@
+  * Unsquash a squashfs filesystem.  This is a highly compressed read only
+  * filesystem.
+  *
+- * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019
+ * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019, 2021
+  * Phillip Lougher <phillip@squashfs.org.uk>
+  *
+  * This program is free software; you can redistribute it and/or
+@@ -413,6 +413,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
+                        memcpy(dire->name, directory_table + bytes,
+                                dire->size + 1);
+                        dire->name[dire->size + 1] = '\0';
+
+                       /* check name for invalid characters (i.e /, ., ..) */
+                       if(check_name(dire->name, dire->size + 1) == FALSE) {
+                               ERROR("File system corrupted: invalid characters in name\n");
+                               goto corrupted;
+                       }
+
+                        TRACE("squashfs_opendir: directory entry %s, inode "
+                                "%d:%d, type %d\n", dire->name,
+                                dirh.start_block, dire->offset, dire->type);
+diff --git a/squashfs-tools/unsquash-4.c b/squashfs-tools/unsquash-4.c
+index 8475835c..aa23a841 100644
+--- a/squashfs-tools/unsquash-4.c
+++ b/squashfs-tools/unsquash-4.c
+@@ -2,7 +2,7 @@
+  * Unsquash a squashfs filesystem.  This is a highly compressed read only
+  * filesystem.
+  *
+- * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019
+ * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019, 2021
+  * Phillip Lougher <phillip@squashfs.org.uk>
+  *
+  * This program is free software; you can redistribute it and/or
+@@ -349,6 +349,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
+                        memcpy(dire->name, directory_table + bytes,
+                                dire->size + 1);
+                        dire->name[dire->size + 1] = '\0';
+
+                       /* check name for invalid characters (i.e /, ., ..) */
+                       if(check_name(dire->name, dire->size + 1) == FALSE) {
+                               ERROR("File system corrupted: invalid characters in name\n");
+                               goto corrupted;
+                       }
+
+                        TRACE("squashfs_opendir: directory entry %s, inode "
+                                "%d:%d, type %d\n", dire->name,
+                                dirh.start_block, dire->offset, dire->type);
+diff --git a/squashfs-tools/unsquashfs.h b/squashfs-tools/unsquashfs.h
+index 934618b2..db1da7a0 100644
+--- a/squashfs-tools/unsquashfs.h
+++ b/squashfs-tools/unsquashfs.h
+@@ -4,7 +4,7 @@
+  * Unsquash a squashfs filesystem.  This is a highly compressed read only
+  * filesystem.
+  *
+- * Copyright (c) 2009, 2010, 2013, 2014, 2019
+ * Copyright (c) 2009, 2010, 2013, 2014, 2019, 2021
+  * Phillip Lougher <phillip@squashfs.org.uk>
+  *
+  * This program is free software; you can redistribute it and/or
+@@ -261,4 +261,7 @@ extern int read_ids(int, long long, long long, unsigned int **);
+ 
+ /* unsquash-34.c */
+ extern long long *alloc_index_table(int);
+
+/* unsquash-1234.c */
+extern int check_name(char *, int);
+ #endif
diff --git a/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb b/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb
index b06951df36..5d754b20b3 100644
--- a/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb
+++ b/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb
@@ -1,14 +1,17 @@
 # Note, we can probably remove the lzma option as it has be replaced with xz,
 # and I don't think the kernel supports it any more.
 SUMMARY = "Tools for manipulating SquashFS filesystems"
+HOMEPAGE = "https://github.com/plougher/squashfs-tools"
+DESCRIPTION = "Tools to create and extract Squashfs filesystems."
 SECTION = "base"
 LICENSE = "GPL-2"
 LIC_FILES_CHKSUM = "file://../COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 PV = "4.4"
 SRCREV = "52eb4c279cd283ed9802dd1ceb686560b22ffb67"
-SRC_URI = "git://github.com/plougher/squashfs-tools.git;protocol=https \
+SRC_URI = "git://github.com/plougher/squashfs-tools.git;protocol=https;branch=master \
           file://0001-squashfs-tools-fix-build-failure-against-gcc-10.patch;striplevel=2 \
+           file://CVE-2021-40153.patch;striplevel=2 \
 "
 S = "${WORKDIR}/git/squashfs-tools"

diff --git a/meta/recipes-devtools/squashfs-tools/files/CVE-2021-40153.patch b/meta/recipes-devtools/squashfs-tools/files/CVE-2021-40153.patch new file mode 100644 index 0000000000..95e2534ee4 --- /dev/null +++ b/meta/recipes-devtools/squashfs-tools/files/CVE-2021-40153.patch
@@ -0,0 +1,253 @@
		1	Backport patch to fix CVE-2021-40153, and remove version update in unsquashfs.c
		2	for compatible.
		3
		4	Upstream-Status: Backport [https://github.com/plougher/squashfs-tools/commit/79b5a55]
		5	CVE: CVE-2021-40153
		6
		7	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		8
		9	From 79b5a555058eef4e1e7ff220c344d39f8cd09646 Mon Sep 17 00:00:00 2001
		10	From: Phillip Lougher <phillip@squashfs.org.uk>
		11	Date: Sat, 16 Jan 2021 20:08:55 +0000
		12	Subject: [PATCH] Unsquashfs: fix write outside destination directory exploit
		13
		14	An issue on Github (https://github.com/plougher/squashfs-tools/issues/72)
		15	shows how some specially crafted Squashfs filesystems containing
		16	invalid file names (with '/' and ..) can cause Unsquashfs to write
		17	files outside of the destination directory.
		18
		19	This commit fixes this exploit by checking all names for
		20	validity.
		21
		22	In doing so I have also added checks for '.' and for names that
		23	are shorter than they should be (names in the file system should
		24	not have '\0' terminators).
		25
		26	Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
		27	---
		28	squashfs-tools/Makefile \| 5 ++-
		29	squashfs-tools/unsquash-1.c \| 9 +++++-
		30	squashfs-tools/unsquash-1234.c \| 58 ++++++++++++++++++++++++++++++++++
		31	squashfs-tools/unsquash-2.c \| 9 +++++-
		32	squashfs-tools/unsquash-3.c \| 9 +++++-
		33	squashfs-tools/unsquash-4.c \| 9 +++++-
		34	squashfs-tools/unsquashfs.h \| 5 ++-
		35	7 files changed, 98 insertions(+), 6 deletions(-)
		36	create mode 100644 squashfs-tools/unsquash-1234.c
		37
		38	diff --git a/squashfs-tools/Makefile b/squashfs-tools/Makefile
		39	index aee4b960..20feaca2 100644
		40	--- a/squashfs-tools/Makefile
		41	+++ b/squashfs-tools/Makefile
		42	@@ -156,7 +156,8 @@ MKSQUASHFS_OBJS = mksquashfs.o read_fs.o action.o swap.o pseudo.o compressor.o \
		43	caches-queues-lists.o
		44
		45	UNSQUASHFS_OBJS = unsquashfs.o unsquash-1.o unsquash-2.o unsquash-3.o \
		46	- unsquash-4.o unsquash-123.o unsquash-34.o swap.o compressor.o unsquashfs_info.o
		47	+ unsquash-4.o unsquash-123.o unsquash-34.o unsquash-1234.o swap.o \
		48	+ compressor.o unsquashfs_info.o
		49
		50	CFLAGS ?= -O2
		51	CFLAGS += $(EXTRA_CFLAGS) $(INCLUDEDIR) -D_FILE_OFFSET_BITS=64 \
		52	@@ -350,6 +351,8 @@ unsquash-123.o: unsquashfs.h unsquash-123.c squashfs_fs.h squashfs_compat.h
		53
		54	unsquash-34.o: unsquashfs.h unsquash-34.c
		55
		56	+unsquash-1234.o: unsquash-1234.c
		57	+
		58	unsquashfs_xattr.o: unsquashfs_xattr.c unsquashfs.h squashfs_fs.h xattr.h
		59
		60	unsquashfs_info.o: unsquashfs.h squashfs_fs.h
		61	diff --git a/squashfs-tools/unsquash-1.c b/squashfs-tools/unsquash-1.c
		62	index 34eced36..28326cb1 100644
		63	--- a/squashfs-tools/unsquash-1.c
		64	+++ b/squashfs-tools/unsquash-1.c
		65	@@ -2,7 +2,7 @@
		66	* Unsquash a squashfs filesystem. This is a highly compressed read only
		67	* filesystem.
		68	*
		69	- * Copyright (c) 2009, 2010, 2011, 2012, 2019
		70	+ * Copyright (c) 2009, 2010, 2011, 2012, 2019, 2021
		71	* Phillip Lougher <phillip@squashfs.org.uk>
		72	*
		73	* This program is free software; you can redistribute it and/or
		74	@@ -285,6 +285,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
		75	memcpy(dire->name, directory_table + bytes,
		76	dire->size + 1);
		77	dire->name[dire->size + 1] = '\0';
		78	+
		79	+ /* check name for invalid characters (i.e /, ., ..) */
		80	+ if(check_name(dire->name, dire->size + 1) == FALSE) {
		81	+ ERROR("File system corrupted: invalid characters in name\n");
		82	+ goto corrupted;
		83	+ }
		84	+
		85	TRACE("squashfs_opendir: directory entry %s, inode "
		86	"%d:%d, type %d\n", dire->name,
		87	dirh.start_block, dire->offset, dire->type);
		88	diff --git a/squashfs-tools/unsquash-1234.c b/squashfs-tools/unsquash-1234.c
		89	new file mode 100644
		90	index 00000000..c2d4f42b
		91	--- /dev/null
		92	+++ b/squashfs-tools/unsquash-1234.c
		93	@@ -0,0 +1,58 @@
		94	+/*
		95	+ * Unsquash a squashfs filesystem. This is a highly compressed read only
		96	+ * filesystem.
		97	+ *
		98	+ * Copyright (c) 2021
		99	+ * Phillip Lougher <phillip@squashfs.org.uk>
		100	+ *
		101	+ * This program is free software; you can redistribute it and/or
		102	+ * modify it under the terms of the GNU General Public License
		103	+ * as published by the Free Software Foundation; either version 2,
		104	+ * or (at your option) any later version.
		105	+ *
		106	+ * This program is distributed in the hope that it will be useful,
		107	+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
		108	+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		109	+ * GNU General Public License for more details.
		110	+ *
		111	+ * You should have received a copy of the GNU General Public License
		112	+ * along with this program; if not, write to the Free Software
		113	+ * Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
		114	+ *
		115	+ * unsquash-1234.c
		116	+ *
		117	+ * Helper functions used by unsquash-1, unsquash-2, unsquash-3 and
		118	+ * unsquash-4.
		119	+ */
		120	+
		121	+#define TRUE 1
		122	+#define FALSE 0
		123	+/*
		124	+ * Check name for validity, name should not
		125	+ * - be ".", "./", or
		126	+ * - be "..", "../" or
		127	+ * - have a "/" anywhere in the name, or
		128	+ * - be shorter than the expected size
		129	+ */
		130	+int check_name(char *name, int size)
		131	+{
		132	+ char *start = name;
		133	+
		134	+ if(name[0] == '.') {
		135	+ if(name[1] == '.')
		136	+ name++;
		137	+ if(name[1] == '/' \|\| name[1] == '\0')
		138	+ return FALSE;
		139	+ }
		140	+
		141	+ while(name[0] != '/' && name[0] != '\0')
		142	+ name ++;
		143	+
		144	+ if(name[0] == '/')
		145	+ return FALSE;
		146	+
		147	+ if((name - start) != size)
		148	+ return FALSE;
		149	+
		150	+ return TRUE;
		151	+}
		152	diff --git a/squashfs-tools/unsquash-2.c b/squashfs-tools/unsquash-2.c
		153	index 4b3d767e..474064e1 100644
		154	--- a/squashfs-tools/unsquash-2.c
		155	+++ b/squashfs-tools/unsquash-2.c
		156	@@ -2,7 +2,7 @@
		157	* Unsquash a squashfs filesystem. This is a highly compressed read only
		158	* filesystem.
		159	*
		160	- * Copyright (c) 2009, 2010, 2013, 2019
		161	+ * Copyright (c) 2009, 2010, 2013, 2019, 2021
		162	* Phillip Lougher <phillip@squashfs.org.uk>
		163	*
		164	* This program is free software; you can redistribute it and/or
		165	@@ -386,6 +386,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
		166	memcpy(dire->name, directory_table + bytes,
		167	dire->size + 1);
		168	dire->name[dire->size + 1] = '\0';
		169	+
		170	+ /* check name for invalid characters (i.e /, ., ..) */
		171	+ if(check_name(dire->name, dire->size + 1) == FALSE) {
		172	+ ERROR("File system corrupted: invalid characters in name\n");
		173	+ goto corrupted;
		174	+ }
		175	+
		176	TRACE("squashfs_opendir: directory entry %s, inode "
		177	"%d:%d, type %d\n", dire->name,
		178	dirh.start_block, dire->offset, dire->type);
		179	diff --git a/squashfs-tools/unsquash-3.c b/squashfs-tools/unsquash-3.c
		180	index 02c31fc5..65cfe4d9 100644
		181	--- a/squashfs-tools/unsquash-3.c
		182	+++ b/squashfs-tools/unsquash-3.c
		183	@@ -2,7 +2,7 @@
		184	* Unsquash a squashfs filesystem. This is a highly compressed read only
		185	* filesystem.
		186	*
		187	- * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019
		188	+ * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019, 2021
		189	* Phillip Lougher <phillip@squashfs.org.uk>
		190	*
		191	* This program is free software; you can redistribute it and/or
		192	@@ -413,6 +413,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
		193	memcpy(dire->name, directory_table + bytes,
		194	dire->size + 1);
		195	dire->name[dire->size + 1] = '\0';
		196	+
		197	+ /* check name for invalid characters (i.e /, ., ..) */
		198	+ if(check_name(dire->name, dire->size + 1) == FALSE) {
		199	+ ERROR("File system corrupted: invalid characters in name\n");
		200	+ goto corrupted;
		201	+ }
		202	+
		203	TRACE("squashfs_opendir: directory entry %s, inode "
		204	"%d:%d, type %d\n", dire->name,
		205	dirh.start_block, dire->offset, dire->type);
		206	diff --git a/squashfs-tools/unsquash-4.c b/squashfs-tools/unsquash-4.c
		207	index 8475835c..aa23a841 100644
		208	--- a/squashfs-tools/unsquash-4.c
		209	+++ b/squashfs-tools/unsquash-4.c
		210	@@ -2,7 +2,7 @@
		211	* Unsquash a squashfs filesystem. This is a highly compressed read only
		212	* filesystem.
		213	*
		214	- * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019
		215	+ * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019, 2021
		216	* Phillip Lougher <phillip@squashfs.org.uk>
		217	*
		218	* This program is free software; you can redistribute it and/or
		219	@@ -349,6 +349,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
		220	memcpy(dire->name, directory_table + bytes,
		221	dire->size + 1);
		222	dire->name[dire->size + 1] = '\0';
		223	+
		224	+ /* check name for invalid characters (i.e /, ., ..) */
		225	+ if(check_name(dire->name, dire->size + 1) == FALSE) {
		226	+ ERROR("File system corrupted: invalid characters in name\n");
		227	+ goto corrupted;
		228	+ }
		229	+
		230	TRACE("squashfs_opendir: directory entry %s, inode "
		231	"%d:%d, type %d\n", dire->name,
		232	dirh.start_block, dire->offset, dire->type);
		233	diff --git a/squashfs-tools/unsquashfs.h b/squashfs-tools/unsquashfs.h
		234	index 934618b2..db1da7a0 100644
		235	--- a/squashfs-tools/unsquashfs.h
		236	+++ b/squashfs-tools/unsquashfs.h
		237	@@ -4,7 +4,7 @@
		238	* Unsquash a squashfs filesystem. This is a highly compressed read only
		239	* filesystem.
		240	*
		241	- * Copyright (c) 2009, 2010, 2013, 2014, 2019
		242	+ * Copyright (c) 2009, 2010, 2013, 2014, 2019, 2021
		243	* Phillip Lougher <phillip@squashfs.org.uk>
		244	*
		245	* This program is free software; you can redistribute it and/or
		246	@@ -261,4 +261,7 @@ extern int read_ids(int, long long, long long, unsigned int **);
		247
		248	/* unsquash-34.c */
		249	extern long long *alloc_index_table(int);
		250	+
		251	+/* unsquash-1234.c */
		252	+extern int check_name(char *, int);
		253	#endif


diff --git a/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb b/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb index b06951df36..5d754b20b3 100644 --- a/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb +++ b/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb
@@ -1,14 +1,17 @@
1	# Note, we can probably remove the lzma option as it has be replaced with xz,	1	# Note, we can probably remove the lzma option as it has be replaced with xz,
2	# and I don't think the kernel supports it any more.	2	# and I don't think the kernel supports it any more.
3	SUMMARY = "Tools for manipulating SquashFS filesystems"	3	SUMMARY = "Tools for manipulating SquashFS filesystems"
		4	HOMEPAGE = "https://github.com/plougher/squashfs-tools"
		5	DESCRIPTION = "Tools to create and extract Squashfs filesystems."
4	SECTION = "base"	6	SECTION = "base"
5	LICENSE = "GPL-2"	7	LICENSE = "GPL-2"
6	LIC_FILES_CHKSUM = "file://../COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"	8	LIC_FILES_CHKSUM = "file://../COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
7		9
8	PV = "4.4"	10	PV = "4.4"
9	SRCREV = "52eb4c279cd283ed9802dd1ceb686560b22ffb67"	11	SRCREV = "52eb4c279cd283ed9802dd1ceb686560b22ffb67"
10	SRC_URI = "git://github.com/plougher/squashfs-tools.git;protocol=https \	12	SRC_URI = "git://github.com/plougher/squashfs-tools.git;protocol=https;branch=master \
11	file://0001-squashfs-tools-fix-build-failure-against-gcc-10.patch;striplevel=2 \	13	file://0001-squashfs-tools-fix-build-failure-against-gcc-10.patch;striplevel=2 \
		14	file://CVE-2021-40153.patch;striplevel=2 \
12	"	15	"
13		16
14	S = "${WORKDIR}/git/squashfs-tools"	17	S = "${WORKDIR}/git/squashfs-tools"