On 2/2/26 00:05, Moritz Mühlenhoff wrote:
On Sun, Feb 01, 2026 at 07:24:43PM +0100, Tobias Frost wrote:
https://salsa.debian.org/lts-team/packages/busybox/-/tree/debian/bookworm-CVE-2023-39810
However, strictly spoken the fix for this CVE changes busybox behaviour,
as directory traversal was "allowed" before and disallowing it is a
behavioral change.
The patch doesn't change the default, so that seems fine to backport.
The patch itself doesn't, but it doesn't fix the issue either.
After I applied that patch (in unstable), I also enabled the config
option it introduces -
CONFIG_FEATURE_PATH_TRAVERSAL_PROTECTION=y
There's no reason to apply the patch but not the config option.
On the other hand, this is actually not that bad of change.
Yes, it's change in behaviour but not that bad, in my opinion.
On the other hand, - usage of unarchival utilities from busybox in
debian is very limited, since real tools (tar, cpio, unzip, etc
packages) are used instead. From this perspective, both the issue
becomes much less important, and its fixing, even if change in
behaviour, becomes much less risky.
In my view, the only place where you might extract an archive using
busybox is some sort of rescue system, where you copied some file
from another system in an usb flash and extract it on a broken
system using busybox's tar or unzip, - that's basically it.
Thanks,
/mjt
