From the looks of this, I think it's likely better to have the default be "secure" and ezjail-admin use the "--insecure" flag as an explicit override. That's the only place I've noticed the need for it although I've not done an extensive search for any other instances in which it might be required, imb On 5/14/2016 3:46 PM, Tim Kientzle wrote: > A little history about this issue: > > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304 > > >> On May 14, 2016, at 12:17 PM, Tim Kientzle <tim_at_kientzle.com> wrote: >> >> Many people consider the traditional behavior to be a security risk, which is why this was changed. >> >> FreeBSD is welcome to make --insecure the default on FreeBSD, but I'm reluctant to do that in the upstream libarchive project. >> >> Tim >> >> >>> On May 12, 2016, at 8:54 AM, Martin Matuska <mm_at_freebsd.org> wrote: >>> >>> Looks like we have to remove line #174 from cpio/cpio.c: >>> cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS; >>> >>> This breaks traditional cpio behavior. >>> >>> Quoting Martin Matuska <mm_at_freebsd.org>: >>> >>>> Hi Michael, I have looked at the source and this is an intended change in 3.2.0. >>>> >>>> An absolute path security check was added, cpio refuses to extract or copy over absolute paths. To do this anyway the "--insecure" flag must be used. >>>> >>>> Here is the commit: >>>> https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526 >>>> >>>> Quoting Michael Butler <imb_at_protected-networks.net>: >>>> >>>>> It seems that today's libarchive update breaks cpio's behaviour: >>>>> >>>>> sudo ezjail-admin update -i -s /usr/src >>>>> >>>>> [ .. ] >>>>> >>>>> cd /usr/src/etc/..; install -o root -g wheel -m 444 COPYRIGHT >>>>> /usr/local/jails/fulljail/ >>>>> install -o root -g wheel -m 444 >>>>> /usr/src/etc/../sys/i386/conf/GENERIC.hints >>>>> /usr/local/jails/fulljail/boot/device.hints >>>>> /usr/local/jails/basejail/bincpio: bin: Path is absolute: Unknown error: -1 >>>>> >>>>> /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is absolute: >>>>> Unknown error: -1 >>>>> >>>>> /usr/local/jails/basejail/bin/chflagscpio: bin/chflags: Path is >>>>> absolute: Unknown error: -1 >>>>> >>>>> /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is absolute: >>>>> Unknown error: -1 >>>>> >>>>> /usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is absolute: >>>>> Unknown error: -1 >>>>> >>>>> /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is absolute: Unknown >>>>> error: -1 >>>>> >>>>> /usr/local/jails/basejail/bin/datecpio: bin/date: Path is absolute: >>>>> Unknown error: -1 >>>>> >>>>> /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is absolute: Unknown >>>>> error: -1 >>>>> >>>>> /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is absolute: Unknown >>>>> error: -1 >>>>> >>>>> /usr/local/jails/basejail/bin/domainnamecpio: bin/domainname: Path is >>>>> absolute: Unknown error: -1 >>>>> [ .. etc. .. ] >>>> >>>> >>>> >>>> Martin Matuska >>>> FreeBSD committer >>>> http://blog.vx.sk >>> >>> >>> >>> Martin Matuska >>> FreeBSD committer >>> http://blog.vx.sk >> >Received on Sat May 14 2016 - 17:51:35 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:04 UTC