[Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

Launchpad Bug Tracker 1753572 at bugs.launchpad.net
Fri Jul 13 15:20:16 UTC 2018 

This bug was fixed in the package busybox - 1:1.27.2-2ubuntu4

---------------
busybox (1:1.27.2-2ubuntu4) cosmic; urgency=medium

  * Fix symlink handling (LP: #1753572)
    - debian/patches/CVE-2011-5325-2.patch: re-enable patch.
    - debian/patches/CVE-2011-5325-3.patch:postpone creation of symlinks
      with "suspicious" targets in archival/libarchive/data_extract_all.c,
      archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
      include/bb_archive.h, testsuite/tar.tests.
    - debian/patches/CVE-2011-5325-4.patch: extract "unsafe" symlinks
      the same way tar/unzip does in archival/cpio.c.
    - debian/patches/CVE-2011-5325-5.patch: fix symlink creation in
      archival/libarchive/get_header_ar.c.

 -- Marc Deslauriers <marc.deslauriers at ubuntu.com>  Mon, 09 Jul 2018
10:25:24 -0400

** Changed in: busybox (Ubuntu Cosmic)
       Status: Confirmed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-5325

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Fix Released
Status in debirf package in Ubuntu:
  Confirmed
Status in busybox source package in Bionic:
  Confirmed
Status in debirf source package in Bionic:
  New
Status in busybox source package in Cosmic:
  Fix Released
Status in debirf source package in Cosmic:
  Confirmed

Bug description:
  Description:    Ubuntu Bionic Beaver (development branch)
  Release:        18.04

  busybox:
    Installed: 1:1.27.2-2ubuntu3
    Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions

More information about the foundations-bugs mailing list