From owner-freebsd-bugs@freebsd.org  Sat May 14 12:55:23 2016
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C9FF6B396AB
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Sat, 14 May 2016 12:55:23 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id B9E041356
 for <freebsd-bugs@FreeBSD.org>; Sat, 14 May 2016 12:55:23 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4ECtNFV096825
 for <freebsd-bugs@FreeBSD.org>; Sat, 14 May 2016 12:55:23 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-bugs@FreeBSD.org
Subject: [Bug 207965] [nanobsd] regression during disk image build after
 CVE-2015-2304 fix/libarchive 3.2.0 update
Date: Sat, 14 May 2016 12:55:23 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: conf
X-Bugzilla-Version: 11.0-CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: junovitch@freebsd.org
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-207965-8-ULoSvbGqu3@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-207965-8@https.bugs.freebsd.org/bugzilla/>
References: <bug-207965-8@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 14 May 2016 12:55:23 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207965

--- Comment #3 from Jason Unovitch <junovitch@freebsd.org> ---
Turns out we relied on absolute path extraction in multiple places as it br=
oke
ports as well after the 3.2.0 update [1] and the commit was reverted shortly
after [2].

[1] https://svnweb.freebsd.org/base?view=3Drevision&revision=3D299529
[2] https://svnweb.freebsd.org/base?view=3Drevision&revision=3D299576

As per the new cpio(1) manual, --insecure is needed for:
"This allows extraction via symbolic links, absolute paths, and path names
containing .. in the name."

On r299575 before the revert, the image builds are broken with the "Path is
absolute" failure before applying this change and fixed afterwards.  There =
is
also no change to building a good image by using --insecure on r299278 befo=
re
the update.

--=20
You are receiving this mail because:
You are the assignee for the bug.=