libarchive update SVN r299529 breaks "ezjail update"
Tim Kientzle
tim at kientzle.com
Sat May 14 19:46:04 UTC 2016
A little history about this issue:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304
> On May 14, 2016, at 12:17 PM, Tim Kientzle <tim at kientzle.com> wrote:
>
> Many people consider the traditional behavior to be a security risk, which is why this was changed.
>
> FreeBSD is welcome to make --insecure the default on FreeBSD, but I'm reluctant to do that in the upstream libarchive project.
>
> Tim
>
>
>> On May 12, 2016, at 8:54 AM, Martin Matuska <mm at freebsd.org> wrote:
>>
>> Looks like we have to remove line #174 from cpio/cpio.c:
>> cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS;
>>
>> This breaks traditional cpio behavior.
>>
>> Quoting Martin Matuska <mm at freebsd.org>:
>>
>>> Hi Michael, I have looked at the source and this is an intended change in 3.2.0.
>>>
>>> An absolute path security check was added, cpio refuses to extract or copy over absolute paths. To do this anyway the "--insecure" flag must be used.
>>>
>>> Here is the commit:
>>> https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526
>>>
>>> Quoting Michael Butler <imb at protected-networks.net>:
>>>
>>>> It seems that today's libarchive update breaks cpio's behaviour:
>>>>
>>>> sudo ezjail-admin update -i -s /usr/src
>>>>
>>>> [ .. ]
>>>>
>>>> cd /usr/src/etc/..; install -o root -g wheel -m 444 COPYRIGHT
>>>> /usr/local/jails/fulljail/
>>>> install -o root -g wheel -m 444
>>>> /usr/src/etc/../sys/i386/conf/GENERIC.hints
>>>> /usr/local/jails/fulljail/boot/device.hints
>>>> /usr/local/jails/basejail/bincpio: bin: Path is absolute: Unknown error: -1
>>>>
>>>> /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is absolute:
>>>> Unknown error: -1
>>>>
>>>> /usr/local/jails/basejail/bin/chflagscpio: bin/chflags: Path is
>>>> absolute: Unknown error: -1
>>>>
>>>> /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is absolute:
>>>> Unknown error: -1
>>>>
>>>> /usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is absolute:
>>>> Unknown error: -1
>>>>
>>>> /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is absolute: Unknown
>>>> error: -1
>>>>
>>>> /usr/local/jails/basejail/bin/datecpio: bin/date: Path is absolute:
>>>> Unknown error: -1
>>>>
>>>> /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is absolute: Unknown
>>>> error: -1
>>>>
>>>> /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is absolute: Unknown
>>>> error: -1
>>>>
>>>> /usr/local/jails/basejail/bin/domainnamecpio: bin/domainname: Path is
>>>> absolute: Unknown error: -1
>>>> [ .. etc. .. ]
>>>
>>>
>>>
>>> Martin Matuska
>>> FreeBSD committer
>>> http://blog.vx.sk
>>
>>
>>
>> Martin Matuska
>> FreeBSD committer
>> http://blog.vx.sk
>
More information about the freebsd-current
mailing list