Date: Sat, 14 May 2016 12:46:00 -0700 From: Tim Kientzle <tim@kientzle.com> To: Martin Matuska <mm@freebsd.org>, Michael Butler <imb@protected-networks.net> Cc: FreeBSD current <freebsd-current@freebsd.org> Subject: Re: libarchive update SVN r299529 breaks "ezjail update" Message-ID: <13C1C575-4AEA-463F-A6BE-92843DAD7B53@kientzle.com> In-Reply-To: <E9B21A7F-AD3A-4182-AACC-3B92BBEF1216@kientzle.com> References: <2c059cf5-2c8a-3b89-16c3-eedf02a01ec5@protected-networks.net> <20160512173440.Horde.5l1s9ijXRgAeMNgmT0MmCPa@mail.vx.sk> <20160512175418.Horde.JvYoOSRwfU_l2TIXv697u2B@mail.vx.sk> <E9B21A7F-AD3A-4182-AACC-3B92BBEF1216@kientzle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
A little history about this issue: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-2304 > On May 14, 2016, at 12:17 PM, Tim Kientzle <tim@kientzle.com> wrote: >=20 > Many people consider the traditional behavior to be a security risk, = which is why this was changed. >=20 > FreeBSD is welcome to make --insecure the default on FreeBSD, but I'm = reluctant to do that in the upstream libarchive project. >=20 > Tim >=20 >=20 >> On May 12, 2016, at 8:54 AM, Martin Matuska <mm@freebsd.org> wrote: >>=20 >> Looks like we have to remove line #174 from cpio/cpio.c: >> cpio->extract_flags |=3D ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS; >>=20 >> This breaks traditional cpio behavior. >>=20 >> Quoting Martin Matuska <mm@freebsd.org>: >>=20 >>> Hi Michael, I have looked at the source and this is an intended = change in 3.2.0. >>>=20 >>> An absolute path security check was added, cpio refuses to extract = or copy over absolute paths. To do this anyway the "--insecure" flag = must be used. >>>=20 >>> Here is the commit: >>> = https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739= e17daba3607526 >>>=20 >>> Quoting Michael Butler <imb@protected-networks.net>: >>>=20 >>>> It seems that today's libarchive update breaks cpio's behaviour: >>>>=20 >>>> sudo ezjail-admin update -i -s /usr/src >>>>=20 >>>> [ .. ] >>>>=20 >>>> cd /usr/src/etc/..; install -o root -g wheel -m 444 COPYRIGHT >>>> /usr/local/jails/fulljail/ >>>> install -o root -g wheel -m 444 >>>> /usr/src/etc/../sys/i386/conf/GENERIC.hints >>>> /usr/local/jails/fulljail/boot/device.hints >>>> /usr/local/jails/basejail/bincpio: bin: Path is absolute: Unknown = error: -1 >>>>=20 >>>> /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is absolute: >>>> Unknown error: -1 >>>>=20 >>>> /usr/local/jails/basejail/bin/chflagscpio: bin/chflags: Path is >>>> absolute: Unknown error: -1 >>>>=20 >>>> /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is absolute: >>>> Unknown error: -1 >>>>=20 >>>> /usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is = absolute: >>>> Unknown error: -1 >>>>=20 >>>> /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is absolute: = Unknown >>>> error: -1 >>>>=20 >>>> /usr/local/jails/basejail/bin/datecpio: bin/date: Path is absolute: >>>> Unknown error: -1 >>>>=20 >>>> /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is absolute: = Unknown >>>> error: -1 >>>>=20 >>>> /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is absolute: = Unknown >>>> error: -1 >>>>=20 >>>> /usr/local/jails/basejail/bin/domainnamecpio: bin/domainname: Path = is >>>> absolute: Unknown error: -1 >>>> [ .. etc. .. ] >>>=20 >>>=20 >>>=20 >>> Martin Matuska >>> FreeBSD committer >>> http://blog.vx.sk >>=20 >>=20 >>=20 >> Martin Matuska >> FreeBSD committer >> http://blog.vx.sk >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?13C1C575-4AEA-463F-A6BE-92843DAD7B53>