Ian, we are here talking about cpio, not libarchive. The flag in libarchive is not active by default. On 14.05.2016 22:08, Ian Lepore wrote: > On Sat, 2016-05-14 at 15:51 -0400, michael butler wrote: >> From the looks of this, I think it's likely better to have the >> default >> be "secure" and ezjail-admin use the "--insecure" flag as an explicit >> override. That's the only place I've noticed the need for it although >> I've not done an extensive search for any other instances in which it >> might be required, >> >> imb >> > The real damage will happen to out-of-tree users. I think this will > impact our software updater for $work for example, and it has to work > with both old and new versions of libarchive, and now the new version > will require a flag that the old version will reject as unknown. > > Ick. > > -- Ian > >> On 5/14/2016 3:46 PM, Tim Kientzle wrote: >>> A little history about this issue: >>> >>> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304 >>> >>> >>>> On May 14, 2016, at 12:17 PM, Tim Kientzle <tim_at_kientzle.com> >>>> wrote: >>>> >>>> Many people consider the traditional behavior to be a security >>>> risk, which is why this was changed. >>>> >>>> FreeBSD is welcome to make --insecure the default on FreeBSD, but >>>> I'm reluctant to do that in the upstream libarchive project. >>>> >>>> Tim >>>> >>>> >>>>> On May 12, 2016, at 8:54 AM, Martin Matuska <mm_at_freebsd.org> >>>>> wrote: >>>>> >>>>> Looks like we have to remove line #174 from cpio/cpio.c: >>>>> cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS; >>>>> >>>>> This breaks traditional cpio behavior. >>>>> >>>>> Quoting Martin Matuska <mm_at_freebsd.org>: >>>>> >>>>>> Hi Michael, I have looked at the source and this is an >>>>>> intended change in 3.2.0. >>>>>> >>>>>> An absolute path security check was added, cpio refuses to >>>>>> extract or copy over absolute paths. To do this anyway the "- >>>>>> -insecure" flag must be used. >>>>>> >>>>>> Here is the commit: >>>>>> https://github.com/libarchive/libarchive/commit/59357157706d4 >>>>>> 7c365b2227739e17daba3607526 >>>>>> >>>>>> Quoting Michael Butler <imb_at_protected-networks.net>: >>>>>> >>>>>>> It seems that today's libarchive update breaks cpio's >>>>>>> behaviour: >>>>>>> >>>>>>> sudo ezjail-admin update -i -s /usr/src >>>>>>> >>>>>>> [ .. ] >>>>>>> >>>>>>> cd /usr/src/etc/..; install -o root -g wheel -m 444 >>>>>>> COPYRIGHT >>>>>>> /usr/local/jails/fulljail/ >>>>>>> install -o root -g wheel -m 444 >>>>>>> /usr/src/etc/../sys/i386/conf/GENERIC.hints >>>>>>> /usr/local/jails/fulljail/boot/device.hints >>>>>>> /usr/local/jails/basejail/bincpio: bin: Path is absolute: >>>>>>> Unknown error: -1 >>>>>>> >>>>>>> /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is >>>>>>> absolute: >>>>>>> Unknown error: -1 >>>>>>> >>>>>>> /usr/local/jails/basejail/bin/chflagscpio: bin/chflags: >>>>>>> Path is >>>>>>> absolute: Unknown error: -1 >>>>>>> >>>>>>> /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is >>>>>>> absolute: >>>>>>> Unknown error: -1 >>>>>>> >>>>>>> /usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is >>>>>>> absolute: >>>>>>> Unknown error: -1 >>>>>>> >>>>>>> /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is >>>>>>> absolute: Unknown >>>>>>> error: -1 >>>>>>> >>>>>>> /usr/local/jails/basejail/bin/datecpio: bin/date: Path is >>>>>>> absolute: >>>>>>> Unknown error: -1 >>>>>>> >>>>>>> /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is >>>>>>> absolute: Unknown >>>>>>> error: -1 >>>>>>> >>>>>>> /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is >>>>>>> absolute: Unknown >>>>>>> error: -1 >>>>>>> >>>>>>> /usr/local/jails/basejail/bin/domainnamecpio: >>>>>>> bin/domainname: Path is >>>>>>> absolute: Unknown error: -1 >>>>>>> [ .. etc. .. ] >>>>>> >>>>>> >>>>>> Martin Matuska >>>>>> FreeBSD committer >>>>>> http://blog.vx.sk >>>>> >>>>> >>>>> Martin Matuska >>>>> FreeBSD committer >>>>> http://blog.vx.sk >> _______________________________________________ >> freebsd-current_at_freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-current >> To unsubscribe, send any mail to " >> freebsd-current-unsubscribe_at_freebsd.org"Received on Sat May 14 2016 - 21:29:57 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:04 UTC