Security update for squirrel SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2023:0080-1 Final 1 1 2023-03-23T17:01:16Z current 2023-03-23T17:01:16Z 2023-03-23T17:01:16Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for squirrel This update for squirrel fixes the following issues: - CVE-2021-41556: fix out-of-bounds read issue (boo#1201974) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2023-80 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5NX6SWKNR7LNUXJROLGLSVD3ZEB4LUQY/ E-Mail link for openSUSE-SU-2023:0080-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1201974 SUSE Bug 1201974 https://www.suse.com/security/cve/CVE-2021-41556/ SUSE CVE CVE-2021-41556 page SUSE Package Hub 15 SP4 openSUSE Leap 15.4 squirrel-3.0.7-bp154.3.3.1 squirrel-devel-3.0.7-bp154.3.3.1 squirrel-devel-static-3.0.7-bp154.3.3.1 squirrel-doc-3.0.7-bp154.3.3.1 squirrel-examples-3.0.7-bp154.3.3.1 squirrel-3.0.7-bp154.3.3.1 as a component of SUSE Package Hub 15 SP4 squirrel-devel-3.0.7-bp154.3.3.1 as a component of SUSE Package Hub 15 SP4 squirrel-devel-static-3.0.7-bp154.3.3.1 as a component of SUSE Package Hub 15 SP4 squirrel-doc-3.0.7-bp154.3.3.1 as a component of SUSE Package Hub 15 SP4 squirrel-examples-3.0.7-bp154.3.3.1 as a component of SUSE Package Hub 15 SP4 squirrel-3.0.7-bp154.3.3.1 as a component of openSUSE Leap 15.4 squirrel-devel-3.0.7-bp154.3.3.1 as a component of openSUSE Leap 15.4 squirrel-devel-static-3.0.7-bp154.3.3.1 as a component of openSUSE Leap 15.4 squirrel-doc-3.0.7-bp154.3.3.1 as a component of openSUSE Leap 15.4 squirrel-examples-3.0.7-bp154.3.3.1 as a component of openSUSE Leap 15.4 sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an out-of-bounds read (in the core interpreter) that can lead to Code Execution. If a victim executes an attacker-controlled squirrel script, it is possible for the attacker to break out of the squirrel script sandbox even if all dangerous functionality such as File System functions has been disabled. An attacker might abuse this bug to target (for example) Cloud services that allow customization via SquirrelScripts, or distribute malware through video games that embed a Squirrel Engine. CVE-2021-41556 SUSE Package Hub 15 SP4:squirrel-3.0.7-bp154.3.3.1 SUSE Package Hub 15 SP4:squirrel-devel-3.0.7-bp154.3.3.1 SUSE Package Hub 15 SP4:squirrel-devel-static-3.0.7-bp154.3.3.1 SUSE Package Hub 15 SP4:squirrel-doc-3.0.7-bp154.3.3.1 SUSE Package Hub 15 SP4:squirrel-examples-3.0.7-bp154.3.3.1 openSUSE Leap 15.4:squirrel-3.0.7-bp154.3.3.1 openSUSE Leap 15.4:squirrel-devel-3.0.7-bp154.3.3.1 openSUSE Leap 15.4:squirrel-devel-static-3.0.7-bp154.3.3.1 openSUSE Leap 15.4:squirrel-doc-3.0.7-bp154.3.3.1 openSUSE Leap 15.4:squirrel-examples-3.0.7-bp154.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5NX6SWKNR7LNUXJROLGLSVD3ZEB4LUQY/ https://www.suse.com/security/cve/CVE-2021-41556.html CVE-2021-41556 https://bugzilla.suse.com/1201974 SUSE Bug 1201974