[Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

Launchpad Bug Tracker 1753572 at bugs.launchpad.net
Wed Mar 6 11:42:58 UTC 2019 

This bug was fixed in the package busybox - 1:1.27.2-2ubuntu3.1

---------------
busybox (1:1.27.2-2ubuntu3.1) bionic; urgency=medium

  * Fix symlink handling (LP: #1753572)
    - debian/patches/CVE-2011-5325-2.patch: re-enable patch.
    - debian/patches/CVE-2011-5325-3.patch:postpone creation of symlinks
      with "suspicious" targets in archival/libarchive/data_extract_all.c,
      archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
      include/bb_archive.h, testsuite/tar.tests.
    - debian/patches/CVE-2011-5325-4.patch: extract "unsafe" symlinks
      the same way tar/unzip does in archival/cpio.c.
    - debian/patches/CVE-2011-5325-5.patch: fix symlink creation in
      archival/libarchive/get_header_ar.c.

 -- Marc Deslauriers <marc.deslauriers at ubuntu.com>  Thu, 17 Jan 2019
13:16:38 -0500

** Changed in: busybox (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Fix Released
Status in debirf package in Ubuntu:
  Confirmed
Status in busybox source package in Bionic:
  Fix Released
Status in debirf source package in Bionic:
  Confirmed
Status in busybox source package in Cosmic:
  Fix Released
Status in debirf source package in Cosmic:
  Confirmed

Bug description:
  Description:    Ubuntu Bionic Beaver (development branch)
  Release:        18.04

  busybox:
    Installed: 1:1.27.2-2ubuntu3
    Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions

More information about the foundations-bugs mailing list