cpio in Busybox 1.27 ingnores "unsafe links"
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | busybox (Ubuntu) |
Undecided
|
Unassigned | ||
| | Bionic |
Undecided
|
Unassigned | ||
| | Cosmic |
Undecided
|
Unassigned | ||
| | debirf (Ubuntu) |
Undecided
|
Unassigned | ||
| | Bionic |
Undecided
|
Unassigned | ||
| | Cosmic |
Undecided
|
Unassigned | ||
Bug Description
Description: Ubuntu Bionic Beaver (development branch)
Release: 18.04
busybox:
Installed: 1:1.27.2-2ubuntu3
Candidate: 1:1.27.2-2ubuntu3
3) Expected my CPIO archive to be fully extracted with proper symlinks
Command: unxz < /rootfs.cxz | cpio -i
4) 'Unsafe' symlinks were ignored such as:
sbin/init -> /lib/systemd/
With the broken 1.27 sbin/init does not get created at all and my debirf initrd fails to load/boot properly.
1.22 from Xenial works.
GNU Cpio also works.
It looks like 1.28 adds an env var to override this behavior:
libarchive: do not extract unsafe symlinks unless $EXTRACT_
CVE References
| Bryan Seitz (seitz-a) wrote : | #2 |
Proposed solution: back port the env var patch or upgrade to 1.28.
| Launchpad Janitor (janitor) wrote : | #3 |
Status changed to 'Confirmed' because the bug affects multiple users.
| Changed in debirf (Ubuntu): | |
| status: | New → Confirmed |
| affects: | busybox → debirf (Ubuntu) |
| Changed in debirf (Ubuntu): | |
| status: | New → Confirmed |
| Marc Deslauriers (mdeslaur) wrote : | #5 |
The EXTRACT_
https:/
Two new commits were added to later 1.28 releases to fix more symlink issues:
https:/
https:/
| Marc Deslauriers (mdeslaur) wrote : | #6 |
Hi! I've prepared a busybox update and uploaded it to my PPA here:
https:/
Could you please see if it resolves your issue? If so, I'll upload it to cosmic and SRU it to bionic.
Thanks!
| Changed in busybox (Ubuntu Bionic): | |
| status: | New → Confirmed |
| Marc Deslauriers (mdeslaur) wrote : | #7 |
Hello?
| Bryan Seitz (seitz-a) wrote : | #8 |
This does look good now, thanks!
| Launchpad Janitor (janitor) wrote : | #9 |
This bug was fixed in the package busybox - 1:1.27.2-2ubuntu4
---------------
busybox (1:1.27.2-2ubuntu4) cosmic; urgency=medium
* Fix symlink handling (LP: #1753572)
- debian/
- debian/
with "suspicious" targets in archival/
archival/
include/
- debian/
the same way tar/unzip does in archival/cpio.c.
- debian/
archival/
-- Marc Deslauriers <email address hidden> Mon, 09 Jul 2018 10:25:24 -0400
| Changed in busybox (Ubuntu Cosmic): | |
| status: | Confirmed → Fix Released |
| Launchpad Janitor (janitor) wrote : | #10 |
Status changed to 'Confirmed' because the bug affects multiple users.
| Changed in debirf (Ubuntu Bionic): | |
| status: | New → Confirmed |
| Marc Deslauriers (mdeslaur) wrote : | #11 |
I just uploaded this for bionic to be processed by the SRU team.
Bryan, do you have an example archive that can be used to test this? Thanks!
| Changed in busybox (Ubuntu Bionic): | |
| status: | Confirmed → In Progress |
| Bryan Seitz (seitz-a) wrote : | #12 |
I was using it to build a U18 debirf image when I saw this issue. I can generate one in a bit for you.
| Brian Murray (brian-murray) wrote : | #13 |
Bryan - is there any chance we could get that image?
| Bryan Seitz (seitz-a) wrote : | #14 |
Yeah apologies, I have to allocate another U18 host and build one. Will aim for tomorrow.
| Bryan Seitz (seitz-a) wrote : | #15 |
Creating image now.
| Bryan Seitz (seitz-a) wrote : | #16 |
I have the image, how can I get it to you privately to test? (Or alternatively, I can test it with the new version if you have a link?)
Hello Bryan, or anyone else affected,
Accepted busybox into bionic-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
| Changed in busybox (Ubuntu Bionic): | |
| status: | In Progress → Fix Committed |
| tags: | added: verification-needed verification-needed-bionic |
| Marc Deslauriers (mdeslaur) wrote : | #18 |
Hi Bryan,
Could you please test the package that is now in bionic-proposed, and post your results here?
Thanks!
| Bryan Seitz (seitz-a) wrote : | #19 |
Yes, 1.27.2-2ubuntu3.1 looks to fix the issue with 1.27.2-2ubuntu3!
Thanks!
| Marc Deslauriers (mdeslaur) wrote : | #20 |
Thanks!
| tags: |
added: verification-done verification-done-bionic removed: verification-needed verification-needed-bionic |
| Launchpad Janitor (janitor) wrote : | #21 |
This bug was fixed in the package busybox - 1:1.27.2-2ubuntu3.1
---------------
busybox (1:1.27.
* Fix symlink handling (LP: #1753572)
- debian/
- debian/
with "suspicious" targets in archival/
archival/
include/
- debian/
the same way tar/unzip does in archival/cpio.c.
- debian/
archival/
-- Marc Deslauriers <email address hidden> Thu, 17 Jan 2019 13:16:38 -0500
| Changed in busybox (Ubuntu Bionic): | |
| status: | Fix Committed → Fix Released |
| Robie Basak (racb) wrote : Update Released | #22 |
The verification of the Stable Release Update for busybox has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
Status changed to 'Confirmed' because the bug affects multiple users.