Re: libarchive update SVN r299529 breaks "ezjail update"

From: Ian Lepore <ian_at_freebsd.org>
Date: Sat, 14 May 2016 17:37:08 -0600
On Sun, 2016-05-15 at 01:29 +0200, Martin Matuska wrote:
> Ian, we are here talking about cpio, not libarchive. The flag in
> libarchive is not active by default.
> 

Yes.  We use cpio for filesystem images, for historical reasons (such
as cpio's ability to encode device major/minor node numbers and other
stuff that doesn't really matter anymore, but the format is kinda cast
in stone now).

-- Ian

> 
> On 14.05.2016 22:08, Ian Lepore wrote:
> > On Sat, 2016-05-14 at 15:51 -0400, michael butler wrote:
> > >  From the looks of this, I think it's likely better to have the
> > > default 
> > > be "secure" and ezjail-admin use the "--insecure" flag as an
> > > explicit
> > > override. That's the only place I've noticed the need for it
> > > although
> > > I've not done an extensive search for any other instances in
> > > which it
> > > might be required,
> > > 
> > > 	imb
> > > 
> > The real damage will happen to out-of-tree users.  I think this
> > will
> > impact our software updater for $work for example, and it has to
> > work
> > with both old and new versions of libarchive, and now the new
> > version
> > will require a flag that the old version will reject as unknown.
> > 
> > Ick.
> > 
> > -- Ian
> > 
> > > On 5/14/2016 3:46 PM, Tim Kientzle wrote:
> > > > A little history about this issue:
> > > > 
> > > > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304
> > > > 
> > > > 
> > > > > On May 14, 2016, at 12:17 PM, Tim Kientzle <tim_at_kientzle.com>
> > > > > wrote:
> > > > > 
> > > > > Many people consider the traditional behavior to be a
> > > > > security
> > > > > risk, which is why this was changed.
> > > > > 
> > > > > FreeBSD is welcome to make --insecure the default on FreeBSD,
> > > > > but
> > > > > I'm reluctant to do that in the upstream libarchive project.
> > > > > 
> > > > > Tim
> > > > > 
> > > > > 
> > > > > > On May 12, 2016, at 8:54 AM, Martin Matuska <mm_at_freebsd.org
> > > > > > >
> > > > > > wrote:
> > > > > > 
> > > > > > Looks like we have to remove line #174 from cpio/cpio.c:
> > > > > > cpio->extract_flags |=
> > > > > > ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS;
> > > > > > 
> > > > > > This breaks traditional cpio behavior.
> > > > > > 
> > > > > > Quoting Martin Matuska <mm_at_freebsd.org>:
> > > > > > 
> > > > > > > Hi Michael, I have looked at the source and this is an
> > > > > > > intended change in 3.2.0.
> > > > > > > 
> > > > > > > An absolute path security check was added, cpio refuses
> > > > > > > to
> > > > > > > extract or copy over absolute paths. To do this anyway
> > > > > > > the "-
> > > > > > > -insecure" flag must be used.
> > > > > > > 
> > > > > > > Here is the commit:
> > > > > > > https://github.com/libarchive/libarchive/commit/593571577
> > > > > > > 06d4
> > > > > > > 7c365b2227739e17daba3607526
> > > > > > > 
> > > > > > > Quoting Michael Butler <imb_at_protected-networks.net>:
> > > > > > > 
> > > > > > > > It seems that today's libarchive update breaks cpio's
> > > > > > > > behaviour:
> > > > > > > > 
> > > > > > > > sudo ezjail-admin update -i -s /usr/src
> > > > > > > > 
> > > > > > > > [ .. ]
> > > > > > > > 
> > > > > > > > cd /usr/src/etc/..; install -o root -g wheel -m 444 
> > > > > > > >  COPYRIGHT
> > > > > > > > /usr/local/jails/fulljail/
> > > > > > > > install -o root -g wheel -m 444
> > > > > > > > /usr/src/etc/../sys/i386/conf/GENERIC.hints
> > > > > > > > /usr/local/jails/fulljail/boot/device.hints
> > > > > > > > /usr/local/jails/basejail/bincpio: bin: Path is
> > > > > > > > absolute:
> > > > > > > > Unknown error: -1
> > > > > > > > 
> > > > > > > > /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is
> > > > > > > > absolute:
> > > > > > > > Unknown error: -1
> > > > > > > > 
> > > > > > > > /usr/local/jails/basejail/bin/chflagscpio: bin/chflags:
> > > > > > > > Path is
> > > > > > > > absolute: Unknown error: -1
> > > > > > > > 
> > > > > > > > /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path
> > > > > > > > is
> > > > > > > > absolute:
> > > > > > > > Unknown error: -1
> > > > > > > > 
> > > > > > > > /usr/local/jails/basejail/bin/chmodcpio: bin/chmod:
> > > > > > > > Path is
> > > > > > > > absolute:
> > > > > > > > Unknown error: -1
> > > > > > > > 
> > > > > > > > /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is
> > > > > > > > absolute: Unknown
> > > > > > > > error: -1
> > > > > > > > 
> > > > > > > > /usr/local/jails/basejail/bin/datecpio: bin/date: Path
> > > > > > > > is
> > > > > > > > absolute:
> > > > > > > > Unknown error: -1
> > > > > > > > 
> > > > > > > > /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is
> > > > > > > > absolute: Unknown
> > > > > > > > error: -1
> > > > > > > > 
> > > > > > > > /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is
> > > > > > > > absolute: Unknown
> > > > > > > > error: -1
> > > > > > > > 
> > > > > > > > /usr/local/jails/basejail/bin/domainnamecpio:
> > > > > > > > bin/domainname: Path is
> > > > > > > > absolute: Unknown error: -1
> > > > > > > > [ .. etc. .. ]
> > > > > > > 
> > > > > > > 
> > > > > > > Martin Matuska
> > > > > > > FreeBSD committer
> > > > > > > http://blog.vx.sk
> > > > > > 
> > > > > > 
> > > > > > Martin Matuska
> > > > > > FreeBSD committer
> > > > > > http://blog.vx.sk
> > > _______________________________________________
> > > freebsd-current_at_freebsd.org mailing list
> > > https://lists.freebsd.org/mailman/listinfo/freebsd-current
> > > To unsubscribe, send any mail to "
> > > freebsd-current-unsubscribe_at_freebsd.org"
> 
> _______________________________________________
> freebsd-current_at_freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "
> freebsd-current-unsubscribe_at_freebsd.org"
Received on Sat May 14 2016 - 21:38:18 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:04 UTC