From owner-freebsd-current@freebsd.org Sat May 14 23:29:57 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AC439B3BBDB for ; Sat, 14 May 2016 23:29:57 +0000 (UTC) (envelope-from mm@FreeBSD.org) Received: from mail.vx.sk (mail.vx.sk [IPv6:2a01:4f8:161:9127::4]) by mx1.freebsd.org (Postfix) with ESMTP id 5FCCD1DBA; Sat, 14 May 2016 23:29:57 +0000 (UTC) (envelope-from mm@FreeBSD.org) Received: from mail.vx.sk (localhost [127.0.0.1]) by mail.vx.sk (Postfix) with ESMTP id 6AD3C4103A; Sun, 15 May 2016 01:29:56 +0200 (CEST) X-Virus-Scanned: amavisd-new at mail.vx.sk Received: from mail.vx.sk by mail.vx.sk (amavisd-new, unix socket) with LMTP id XYSGilUAhBHB; Sun, 15 May 2016 01:29:55 +0200 (CEST) Received: from [IPv6:2a02:2450:1023:10:e4f1:24cb:9d2d:a948] (unknown [IPv6:2a02:2450:1023:10:e4f1:24cb:9d2d:a948]) by mail.vx.sk (Postfix) with ESMTPSA id A642B41027; Sun, 15 May 2016 01:29:54 +0200 (CEST) Subject: Re: libarchive update SVN r299529 breaks "ezjail update" To: Ian Lepore , michael butler , Tim Kientzle References: <2c059cf5-2c8a-3b89-16c3-eedf02a01ec5@protected-networks.net> <20160512173440.Horde.5l1s9ijXRgAeMNgmT0MmCPa@mail.vx.sk> <20160512175418.Horde.JvYoOSRwfU_l2TIXv697u2B@mail.vx.sk> <13C1C575-4AEA-463F-A6BE-92843DAD7B53@kientzle.com> <7838d5e7-5d81-37f5-53dd-efdd0e855ea6@protected-networks.net> <1463256489.1180.139.camel@freebsd.org> Cc: FreeBSD current From: Martin Matuska Message-ID: Date: Sun, 15 May 2016 01:29:54 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.0 MIME-Version: 1.0 In-Reply-To: <1463256489.1180.139.camel@freebsd.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 May 2016 23:29:57 -0000 Ian, we are here talking about cpio, not libarchive. The flag in libarchive is not active by default. On 14.05.2016 22:08, Ian Lepore wrote: > On Sat, 2016-05-14 at 15:51 -0400, michael butler wrote: >> From the looks of this, I think it's likely better to have the >> default >> be "secure" and ezjail-admin use the "--insecure" flag as an explicit >> override. That's the only place I've noticed the need for it although >> I've not done an extensive search for any other instances in which it >> might be required, >> >> imb >> > The real damage will happen to out-of-tree users. I think this will > impact our software updater for $work for example, and it has to work > with both old and new versions of libarchive, and now the new version > will require a flag that the old version will reject as unknown. > > Ick. > > -- Ian > >> On 5/14/2016 3:46 PM, Tim Kientzle wrote: >>> A little history about this issue: >>> >>> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304 >>> >>> >>>> On May 14, 2016, at 12:17 PM, Tim Kientzle >>>> wrote: >>>> >>>> Many people consider the traditional behavior to be a security >>>> risk, which is why this was changed. >>>> >>>> FreeBSD is welcome to make --insecure the default on FreeBSD, but >>>> I'm reluctant to do that in the upstream libarchive project. >>>> >>>> Tim >>>> >>>> >>>>> On May 12, 2016, at 8:54 AM, Martin Matuska >>>>> wrote: >>>>> >>>>> Looks like we have to remove line #174 from cpio/cpio.c: >>>>> cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS; >>>>> >>>>> This breaks traditional cpio behavior. >>>>> >>>>> Quoting Martin Matuska : >>>>> >>>>>> Hi Michael, I have looked at the source and this is an >>>>>> intended change in 3.2.0. >>>>>> >>>>>> An absolute path security check was added, cpio refuses to >>>>>> extract or copy over absolute paths. To do this anyway the "- >>>>>> -insecure" flag must be used. >>>>>> >>>>>> Here is the commit: >>>>>> https://github.com/libarchive/libarchive/commit/59357157706d4 >>>>>> 7c365b2227739e17daba3607526 >>>>>> >>>>>> Quoting Michael Butler : >>>>>> >>>>>>> It seems that today's libarchive update breaks cpio's >>>>>>> behaviour: >>>>>>> >>>>>>> sudo ezjail-admin update -i -s /usr/src >>>>>>> >>>>>>> [ .. ] >>>>>>> >>>>>>> cd /usr/src/etc/..; install -o root -g wheel -m 444 >>>>>>> COPYRIGHT >>>>>>> /usr/local/jails/fulljail/ >>>>>>> install -o root -g wheel -m 444 >>>>>>> /usr/src/etc/../sys/i386/conf/GENERIC.hints >>>>>>> /usr/local/jails/fulljail/boot/device.hints >>>>>>> /usr/local/jails/basejail/bincpio: bin: Path is absolute: >>>>>>> Unknown error: -1 >>>>>>> >>>>>>> /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is >>>>>>> absolute: >>>>>>> Unknown error: -1 >>>>>>> >>>>>>> /usr/local/jails/basejail/bin/chflagscpio: bin/chflags: >>>>>>> Path is >>>>>>> absolute: Unknown error: -1 >>>>>>> >>>>>>> /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is >>>>>>> absolute: >>>>>>> Unknown error: -1 >>>>>>> >>>>>>> /usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is >>>>>>> absolute: >>>>>>> Unknown error: -1 >>>>>>> >>>>>>> /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is >>>>>>> absolute: Unknown >>>>>>> error: -1 >>>>>>> >>>>>>> /usr/local/jails/basejail/bin/datecpio: bin/date: Path is >>>>>>> absolute: >>>>>>> Unknown error: -1 >>>>>>> >>>>>>> /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is >>>>>>> absolute: Unknown >>>>>>> error: -1 >>>>>>> >>>>>>> /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is >>>>>>> absolute: Unknown >>>>>>> error: -1 >>>>>>> >>>>>>> /usr/local/jails/basejail/bin/domainnamecpio: >>>>>>> bin/domainname: Path is >>>>>>> absolute: Unknown error: -1 >>>>>>> [ .. etc. .. ] >>>>>> >>>>>> >>>>>> Martin Matuska >>>>>> FreeBSD committer >>>>>> http://blog.vx.sk >>>>> >>>>> >>>>> Martin Matuska >>>>> FreeBSD committer >>>>> http://blog.vx.sk >> _______________________________________________ >> freebsd-current@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-current >> To unsubscribe, send any mail to " >> freebsd-current-unsubscribe@freebsd.org"