[Bugs] [Bug 13319] New: [CVE 21] squirrel 3.0.7 CVEs found

[bugzilla]

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13319

          Platform: 2021.1
            Bug ID: 13319
           Summary: [CVE 21] squirrel 3.0.7  CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2021-41556,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: s.matveev на rosalinux.ru, y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package squirrel version 3.0.7

INFO (CVEs are): squirrel 3.0.7
 cves found
CVE-2021-41556
Desc: sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an
out-of-bounds read (in the core interpreter) that can lead to Code Execution.
If a victim executes an attacker-controlled squirrel script, it is possible for
the attacker to break out of the squirrel script sandbox even if all dangerous
functionality such as File System functions has been disabled. An attacker
might abuse this bug to target (for example) Cloud services that allow
customization via SquirrelScripts, or distribute malware through video games
that embed a Squirrel Engine.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-41556
Severity: CRITICAL

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230503/882a2c38/attachment.html>