- Package:
- src:squirrel3
- Source:
- src:squirrel3
- Submitter:
- Moritz Mühlenhoff
- Date:
- 2026-06-25 20:35:02 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for squirrel3. CVE-2021-41556[0]: | sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an | out-of-bounds read (in the core interpreter) that can lead to Code | Execution. If a victim executes an attacker-controlled squirrel | script, it is possible for the attacker to break out of the squirrel | script sandbox even if all dangerous functionality such as File System | functions has been disabled. An attacker might abuse this bug to | target (for example) Cloud services that allow customization via | SquirrelScripts, or distribute malware through video games that embed | a Squirrel Engine. https://github.com/albertodemichelis/squirrel/commit/23a0620658714b996d20da3d4dd1a0dcf9b0bd98 https://blog.sonarsource.com/squirrel-vm-sandbox-escape/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-41556 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41556 Please adjust the affected versions in the BTS as needed.
Dear maintainer, I've prepared an NMU for squirrel3 (versioned as 3.1-8.5) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. cu Adrian
We believe that the bug you reported is fixed in the latest version of squirrel3, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1016212@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Adrian Bunk <bunk@debian.org> (supplier of updated squirrel3 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Mon, 15 Jun 2026 17:22:20 +0300 Source: squirrel3 Architecture: source Version: 3.1-8.5 Distribution: unstable Urgency: medium Maintainer: Fabian Wolff <fabi.wolff@arcor.de> Changed-By: Adrian Bunk <bunk@debian.org> Closes: 1016212 Changes: squirrel3 (3.1-8.5) unstable; urgency=medium . * Non-maintainer upload. * CVE-2021-41556: Sandbox Escape (Closes: #1016212) Checksums-Sha1: 9022bb377981dd63fe8ef9046fb5435214f5daf8 2043 squirrel3_3.1-8.5.dsc d6ab41ba6ef35d331f8583b2c053815429a9f20a 8084 squirrel3_3.1-8.5.debian.tar.xz Checksums-Sha256: 354607d3070dccd83e146c4117abe06d5e0661a4cc56b18c2e0a4e46d96b14f2 2043 squirrel3_3.1-8.5.dsc f9bda63c3a355f259cab958d3e0e93e11bead4ac9938f8e9c131fd856bedcd71 8084 squirrel3_3.1-8.5.debian.tar.xz Files: 8209338c2fd0d254bf24a747619f46c1 2043 interpreters optional squirrel3_3.1-8.5.dsc 22163eb81d2cebd27e6aac9daa1edaef 8084 interpreters optional squirrel3_3.1-8.5.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmowC3kACgkQiNJCh6LY mLGftA/7BwD+i/7yA3GMCM5gKIJ/YWhahIXk1d1pmQRPncvBZt8TvaOZ/uLQxBre gsleuxPibQih34DG78T/xCKvmcb6G2HWkBWYo8u2prFLfCpJV3LMLLirlTZUpbmT XXRu12QZ1aFUrIX2wGYvl4XWBAYPqWA8RM51oxJ5LSM/8wFW8INHFsWCSJb+r1Le 2K8vDOK3TMlaDZFjwb98A7r/mwsKkP8d6Cie4mF/nUY+1XkDVUgXNyOmloGb+N2n I6lV5S2Jojmr9Kbv6mfiWFFM+DoZFmWL5upUJlYEUAPguFG9Tmqrnu2QbFTkE3b2 3XMVxIfFznCs9QH4PAShxZslBmTUn6bo0LPyaej20NdF1Rxr2+DDmW0IznX553Ew 7GFHjU9DacgBoMJHDDA4c9N0TPuMiPsiES06X2F4mOz+HRm4WdAcIVU231X1fIzq KYNN2RwqBOaS3AGdHXoIhmjcF2+RuMP8oCTI2HQzZj1NROxhmXO0iT7YTnxLbq+B dL/pJcr4De0orLvQNTiiS7f03w9QpvWTO4OV9NzUK3p5lgBLkO6d+dhfAV6z/MEt ROMWjHvwbfYOu/irf3Zm8Qgs/8LloV4MrZYi2b3WgIVrKngsPGoSxN4IdbRAExoF 9DAKbbm+/PB/YuDKJxehXilaZ2oFuB3ueFc/UxmvCZZvJ99SSpc= =Qsx5 -----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of squirrel3, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1016212@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Adrian Bunk <bunk@debian.org> (supplier of updated squirrel3 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Thu, 18 Jun 2026 23:28:11 +0300 Source: squirrel3 Architecture: source Version: 3.1-8.2+deb13u1 Distribution: trixie Urgency: medium Maintainer: Fabian Wolff <fabi.wolff@arcor.de> Changed-By: Adrian Bunk <bunk@debian.org> Closes: 1016212 Changes: squirrel3 (3.1-8.2+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * CVE-2021-41556: Sandbox Escape (Closes: #1016212) Checksums-Sha1: 769e793d00907c8f68b4021b7da4cc2feebaaeab 2104 squirrel3_3.1-8.2+deb13u1.dsc 16d4636348dd50c9ee3c859a113553157da97a84 175612 squirrel3_3.1.orig.tar.gz c1f9bf4b21e2285f00f15eebb2d2de90226dce26 7840 squirrel3_3.1-8.2+deb13u1.debian.tar.xz Checksums-Sha256: 43f12574b7e5d5ac6c587d19ffe3d7444e96078377e35c3d4d260b874ebf0ab8 2104 squirrel3_3.1-8.2+deb13u1.dsc 51942b8638a97b673e34ecf3ca50304996fa99bbdbfa7fe93d9744e6769b2f95 175612 squirrel3_3.1.orig.tar.gz b10cb376268a6d3c6339d7a72aa5905aa799b7bebf33c59bebc07a025f63aca9 7840 squirrel3_3.1-8.2+deb13u1.debian.tar.xz Files: 88a7903afff720bdcd9a3546e0d592af 2104 interpreters optional squirrel3_3.1-8.2+deb13u1.dsc 2f8350d4d1c524a89b360ee3f8f8066b 175612 interpreters optional squirrel3_3.1.orig.tar.gz c14a1f847f48ccaa1235e75c3ff91ef5 7840 interpreters optional squirrel3_3.1-8.2+deb13u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmo0ViIACgkQiNJCh6LY mLFtgRAAl5Lb3Hhaq9f9bG8o+ft/W57L4WUTTwEbcKo104SccPO7g4c7THE4wXW1 /qFbYRjIBZPSj5YJN9NWo+FU4/sClE2uJ0/QqIMtYacz/YJFzDIpU81wJ9IeT/Zj 6M+pAStAUC3bZqBXF5UwV0UKSyO2mDFzMMu/nfqef5OZndUnh+i0IjZBm9RabUYN i6ZsrzQfHMczw02bWvu7l9djfax6CHd5d8EY8QczI0MISf3zmfvtpS3wPzpq25fZ sHn0ayaFbM1E9rn9SNGVKSFRmrFhweWMMmZ0Wfw8sGVGkPAuNV8W9I0FbPQk1TUF RSxBosP4rtuNJVBF+LbNhdXneB8aRLsTw3h7wrrk5pU0cdREr5KDmJJ0augBUUNU EiPEwTJw8Ap5tum9+l/ow5jAkV/PV+hHLGzgxnUFQGEpS8wr2miR6Ph43XZ9Sdwy nDUpCUFyX8+6FDTrwi9BKILg8dBMreIDeuRR/ccsfnS0BDob8WvIk6bHFq7ysLgw l+7V5Dqy/EudpUal6GV7e+isVLLTNjLc7nrs1orlznZolUF1hj2Jl0VCoHMtBtxq YsP8+/pINyyGmGJX/WZmkue+mj52lrqSmvs1E7vDODuj66iD+KGlsw2AS1Wk5sMC xq3KTgt9vIs/Emvww7NR+TaTiB9VxxmijK1Ehm+cCRBuMfazA/I= =mepC -----END PGP SIGNATURE-----