[Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

[Marc Deslauriers]

The EXTRACT_UNSAFE_SYMLINKS variable was backed out in busybox 1.28.2 by
the following commit:

https://git.busybox.net/busybox/commit/?h=1_28_stable&id=37277a23fe48b13313f5d96084d890ed21d5fd8b

Two new commits were added to later 1.28 releases to fix more symlink
issues:

https://git.busybox.net/busybox/commit/?id=d9503224c8a93a30b0c8627084b2744d3ee6f403
https://git.busybox.net/busybox/commit/?id=dd56921e2d404c8fc9484290a36411a13d14df1a

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Confirmed
Status in debirf package in Ubuntu:
  Confirmed

Bug description:
  Description:    Ubuntu Bionic Beaver (development branch)
  Release:        18.04

  busybox:
    Installed: 1:1.27.2-2ubuntu3
    Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions