cpio in Busybox 1.27 ingnores "unsafe links"

Bug #1753572 reported by Bryan Seitz on 2018-03-05
32
This bug affects 5 people
Affects Status Importance Assigned to Milestone
busybox (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Unassigned
Cosmic
Undecided
Unassigned
debirf (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Unassigned
Cosmic
Undecided
Unassigned

Bug Description

Description: Ubuntu Bionic Beaver (development branch)
Release: 18.04

busybox:
  Installed: 1:1.27.2-2ubuntu3
  Candidate: 1:1.27.2-2ubuntu3

3) Expected my CPIO archive to be fully extracted with proper symlinks
Command: unxz < /rootfs.cxz | cpio -i

4) 'Unsafe' symlinks were ignored such as:

sbin/init -> /lib/systemd/systemd

With the broken 1.27 sbin/init does not get created at all and my debirf initrd fails to load/boot properly.

1.22 from Xenial works.
GNU Cpio also works.

It looks like 1.28 adds an env var to override this behavior:

libarchive: do not extract unsafe symlinks unless $EXTRACT_UNSAFE_SYMLINKS=1

CVE References

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in busybox (Ubuntu):
status: New → Confirmed
Bryan Seitz (seitz-a) wrote :

Proposed solution: back port the env var patch or upgrade to 1.28.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Bryan Seitz (seitz-a) on 2018-03-05
affects: busybox → debirf (Ubuntu)
Changed in debirf (Ubuntu):
status: New → Confirmed
Changed in debirf (Ubuntu):
status: New → Confirmed
Marc Deslauriers (mdeslaur) wrote :
Marc Deslauriers (mdeslaur) wrote :

Hi! I've prepared a busybox update and uploaded it to my PPA here:

https://launchpad.net/~mdeslaur/+archive/ubuntu/testing

Could you please see if it resolves your issue? If so, I'll upload it to cosmic and SRU it to bionic.

Thanks!

Changed in busybox (Ubuntu Bionic):
status: New → Confirmed
Marc Deslauriers (mdeslaur) wrote :

Hello?

Bryan Seitz (seitz-a) wrote :

This does look good now, thanks!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package busybox - 1:1.27.2-2ubuntu4

---------------
busybox (1:1.27.2-2ubuntu4) cosmic; urgency=medium

  * Fix symlink handling (LP: #1753572)
    - debian/patches/CVE-2011-5325-2.patch: re-enable patch.
    - debian/patches/CVE-2011-5325-3.patch:postpone creation of symlinks
      with "suspicious" targets in archival/libarchive/data_extract_all.c,
      archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
      include/bb_archive.h, testsuite/tar.tests.
    - debian/patches/CVE-2011-5325-4.patch: extract "unsafe" symlinks
      the same way tar/unzip does in archival/cpio.c.
    - debian/patches/CVE-2011-5325-5.patch: fix symlink creation in
      archival/libarchive/get_header_ar.c.

 -- Marc Deslauriers <email address hidden> Mon, 09 Jul 2018 10:25:24 -0400

Changed in busybox (Ubuntu Cosmic):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in debirf (Ubuntu Bionic):
status: New → Confirmed
Marc Deslauriers (mdeslaur) wrote :

I just uploaded this for bionic to be processed by the SRU team.

Bryan, do you have an example archive that can be used to test this? Thanks!

Changed in busybox (Ubuntu Bionic):
status: Confirmed → In Progress
Bryan Seitz (seitz-a) wrote :

I was using it to build a U18 debirf image when I saw this issue. I can generate one in a bit for you.

Brian Murray (brian-murray) wrote :

Bryan - is there any chance we could get that image?

Bryan Seitz (seitz-a) wrote :

Yeah apologies, I have to allocate another U18 host and build one. Will aim for tomorrow.

Bryan Seitz (seitz-a) wrote :

Creating image now.

Bryan Seitz (seitz-a) wrote :

I have the image, how can I get it to you privately to test? (Or alternatively, I can test it with the new version if you have a link?)

Hello Bryan, or anyone else affected,

Accepted busybox into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/busybox/1:1.27.2-2ubuntu3.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in busybox (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic
Marc Deslauriers (mdeslaur) wrote :

Hi Bryan,

Could you please test the package that is now in bionic-proposed, and post your results here?

Thanks!

Bryan Seitz (seitz-a) wrote :

Yes, 1.27.2-2ubuntu3.1 looks to fix the issue with 1.27.2-2ubuntu3!

Thanks!

Marc Deslauriers (mdeslaur) wrote :

Thanks!

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers