subject:"libarchive update SVN r299529 breaks \"ezjail update\""

Re: libarchive update SVN r299529 breaks "ezjail update"

2016-05-15 Thread Tim Kientzle


Someone just pointed out that the change also affected cpio's -p pass-through 
mode.  That was not intentional.  I just accepted Martin's pull request to 
revert the behavior for -p mode.

Cheers,

Tim




> On May 15, 2016, at 9:16 AM, Ian Lepore  wrote:
> 
> On Sun, 2016-05-15 at 01:57 +0200, Martin Matuska wrote:
>> That switch is "--insecure" and is supported in all libarchive
>> versions
>> freebsd ever used.
>> 
> 
> Oh, well that will make handling the new version easier.  It doesn't
> change the fact that the new libarchive stuff will break long-working
> existing software, but at least it'll be easy to fix.
> 
> -- Ian
> 
>> 
>> On 15.05.2016 01:36, Ngie Cooper (yaneurabeya) wrote:
 On May 14, 2016, at 16:29, Martin Matuska  wrote:
 
 Ian, we are here talking about cpio, not libarchive. The flag in
 libarchive is not active by default.
 
 On 14.05.2016 22:08, Ian Lepore wrote:
> The real damage will happen to out-of-tree users.  I think this
> will
> impact our software updater for $work for example, and it has
> to work
> with both old and new versions of libarchive, and now the new
> version
> will require a flag that the old version will reject as
> unknown.
> 
> Ick.
>>> Ian’s comment was valid.. cpio doesn’t recognize the new switch on
>>> older versions, so something like cpio `cpio --help | grep --
>>> switch && echo switch` would need to be employed everywhere for
>>> backwards compatibility — ew.
>>> Thanks,
>>> -Ngie
>> 
>> ___
>> freebsd-current@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-current
>> To unsubscribe, send any mail to "
>> freebsd-current-unsubscr...@freebsd.org"

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: libarchive update SVN r299529 breaks "ezjail update"

2016-05-15 Thread Ian Lepore

On Sun, 2016-05-15 at 01:57 +0200, Martin Matuska wrote:
> That switch is "--insecure" and is supported in all libarchive
> versions
> freebsd ever used.
> 

Oh, well that will make handling the new version easier.  It doesn't
change the fact that the new libarchive stuff will break long-working
existing software, but at least it'll be easy to fix.

-- Ian

> 
> On 15.05.2016 01:36, Ngie Cooper (yaneurabeya) wrote:
> > > On May 14, 2016, at 16:29, Martin Matuska  wrote:
> > > 
> > > Ian, we are here talking about cpio, not libarchive. The flag in
> > > libarchive is not active by default.
> > > 
> > > On 14.05.2016 22:08, Ian Lepore wrote:
> > > > The real damage will happen to out-of-tree users.  I think this
> > > > will
> > > > impact our software updater for $work for example, and it has
> > > > to work
> > > > with both old and new versions of libarchive, and now the new
> > > > version
> > > > will require a flag that the old version will reject as
> > > > unknown.
> > > > 
> > > > Ick.
> > Ian’s comment was valid.. cpio doesn’t recognize the new switch on
> > older versions, so something like cpio `cpio --help | grep --
> > switch && echo switch` would need to be employed everywhere for
> > backwards compatibility — ew.
> > Thanks,
> > -Ngie
> 
> ___
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "
> freebsd-current-unsubscr...@freebsd.org"
> 
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: libarchive update SVN r299529 breaks "ezjail update"

2016-05-14 Thread Martin Matuska

That switch is "--insecure" and is supported in all libarchive versions
freebsd ever used.


On 15.05.2016 01:36, Ngie Cooper (yaneurabeya) wrote:
>> On May 14, 2016, at 16:29, Martin Matuska  wrote:
>>
>> Ian, we are here talking about cpio, not libarchive. The flag in
>> libarchive is not active by default.
>>
>> On 14.05.2016 22:08, Ian Lepore wrote:
>>> The real damage will happen to out-of-tree users.  I think this will
>>> impact our software updater for $work for example, and it has to work
>>> with both old and new versions of libarchive, and now the new version
>>> will require a flag that the old version will reject as unknown.
>>>
>>> Ick.
> Ian’s comment was valid.. cpio doesn’t recognize the new switch on older 
> versions, so something like cpio `cpio --help | grep -- switch && echo 
> switch` would need to be employed everywhere for backwards compatibility — ew.
> Thanks,
> -Ngie

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: libarchive update SVN r299529 breaks "ezjail update"

2016-05-14 Thread Ngie Cooper (yaneurabeya)


> On May 14, 2016, at 16:29, Martin Matuska  wrote:
> 
> Ian, we are here talking about cpio, not libarchive. The flag in
> libarchive is not active by default.
> 
> On 14.05.2016 22:08, Ian Lepore wrote:

>> The real damage will happen to out-of-tree users.  I think this will
>> impact our software updater for $work for example, and it has to work
>> with both old and new versions of libarchive, and now the new version
>> will require a flag that the old version will reject as unknown.
>> 
>> Ick.

Ian’s comment was valid.. cpio doesn’t recognize the new switch on older 
versions, so something like cpio `cpio --help | grep -- switch && echo switch` 
would need to be employed everywhere for backwards compatibility — ew.
Thanks,
-Ngie
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: libarchive update SVN r299529 breaks "ezjail update"

2016-05-14 Thread Ian Lepore

On Sun, 2016-05-15 at 01:29 +0200, Martin Matuska wrote:
> Ian, we are here talking about cpio, not libarchive. The flag in
> libarchive is not active by default.
> 

Yes.  We use cpio for filesystem images, for historical reasons (such
as cpio's ability to encode device major/minor node numbers and other
stuff that doesn't really matter anymore, but the format is kinda cast
in stone now).

-- Ian

> 
> On 14.05.2016 22:08, Ian Lepore wrote:
> > On Sat, 2016-05-14 at 15:51 -0400, michael butler wrote:
> > >  From the looks of this, I think it's likely better to have the
> > > default 
> > > be "secure" and ezjail-admin use the "--insecure" flag as an
> > > explicit
> > > override. That's the only place I've noticed the need for it
> > > although
> > > I've not done an extensive search for any other instances in
> > > which it
> > > might be required,
> > > 
> > >   imb
> > > 
> > The real damage will happen to out-of-tree users.  I think this
> > will
> > impact our software updater for $work for example, and it has to
> > work
> > with both old and new versions of libarchive, and now the new
> > version
> > will require a flag that the old version will reject as unknown.
> > 
> > Ick.
> > 
> > -- Ian
> > 
> > > On 5/14/2016 3:46 PM, Tim Kientzle wrote:
> > > > A little history about this issue:
> > > > 
> > > > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304
> > > > 
> > > > 
> > > > > On May 14, 2016, at 12:17 PM, Tim Kientzle 
> > > > > wrote:
> > > > > 
> > > > > Many people consider the traditional behavior to be a
> > > > > security
> > > > > risk, which is why this was changed.
> > > > > 
> > > > > FreeBSD is welcome to make --insecure the default on FreeBSD,
> > > > > but
> > > > > I'm reluctant to do that in the upstream libarchive project.
> > > > > 
> > > > > Tim
> > > > > 
> > > > > 
> > > > > > On May 12, 2016, at 8:54 AM, Martin Matuska  > > > > > >
> > > > > > wrote:
> > > > > > 
> > > > > > Looks like we have to remove line #174 from cpio/cpio.c:
> > > > > > cpio->extract_flags |=
> > > > > > ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS;
> > > > > > 
> > > > > > This breaks traditional cpio behavior.
> > > > > > 
> > > > > > Quoting Martin Matuska :
> > > > > > 
> > > > > > > Hi Michael, I have looked at the source and this is an
> > > > > > > intended change in 3.2.0.
> > > > > > > 
> > > > > > > An absolute path security check was added, cpio refuses
> > > > > > > to
> > > > > > > extract or copy over absolute paths. To do this anyway
> > > > > > > the "-
> > > > > > > -insecure" flag must be used.
> > > > > > > 
> > > > > > > Here is the commit:
> > > > > > > https://github.com/libarchive/libarchive/commit/593571577
> > > > > > > 06d4
> > > > > > > 7c365b2227739e17daba3607526
> > > > > > > 
> > > > > > > Quoting Michael Butler :
> > > > > > > 
> > > > > > > > It seems that today's libarchive update breaks cpio's
> > > > > > > > behaviour:
> > > > > > > > 
> > > > > > > > sudo ezjail-admin update -i -s /usr/src
> > > > > > > > 
> > > > > > > > [ .. ]
> > > > > > > > 
> > > > > > > > cd /usr/src/etc/..; install -o root -g wheel -m 444 
> > > > > > > >  COPYRIGHT
> > > > > > > > /usr/local/jails/fulljail/
> > > > > > > > install -o root -g wheel -m 444
> > > > > > > > /usr/src/etc/../sys/i386/conf/GENERIC.hints
> > > > > > > > /usr/local/jails/fulljail/boot/device.hints
> > > > > > > > /usr/local/jails/basejail/bincpio: bin: Path is
> > > > > > > > absolute:
> > > > > > > > Unknown error: -1
> > > > > > > > 
> > > > > > > > /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is
> > > > > > > > absolute:
> > > > > > > > Unknown error: -1
> > > > > > > > 
> > > > > > > > /usr/local/jails/basejail/bin/chflagscpio: bin/chflags:
> > > > > > > > Path is
> > > > > > > > absolute: Unknown error: -1
> > > > > > > > 
> > > > > > > > /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path
> > > > > > > > is
> > > > > > > > absolute:
> > > > > > > > Unknown error: -1
> > > > > > > > 
> > > > > > > > /usr/local/jails/basejail/bin/chmodcpio: bin/chmod:
> > > > > > > > Path is
> > > > > > > > absolute:
> > > > > > > > Unknown error: -1
> > > > > > > > 
> > > > > > > > /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is
> > > > > > > > absolute: Unknown
> > > > > > > > error: -1
> > > > > > > > 
> > > > > > > > /usr/local/jails/basejail/bin/datecpio: bin/date: Path
> > > > > > > > is
> > > > > > > > absolute:
> > > > > > > > Unknown error: -1
> > > > > > > > 
> > > > > > > > /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is
> > > > > > > > absolute: Unknown
> > > > > > > > error: -1
> > > > > > > > 
> > > > > > > > /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is
> > > > > > > > absolute: Unknown
> > > > > > > > error: -1
> > > > > > > > 
> > > > > > > > /usr/local/jails/basejail/bin/domainnamecpio:
> > > > > > > > bin/domainname: Path is
> > > > > > > > absolute: Unknown error: -1
> > > > > > > > [

Re: libarchive update SVN r299529 breaks "ezjail update"

2016-05-14 Thread Martin Matuska

Ian, we are here talking about cpio, not libarchive. The flag in
libarchive is not active by default.


On 14.05.2016 22:08, Ian Lepore wrote:
> On Sat, 2016-05-14 at 15:51 -0400, michael butler wrote:
>>  From the looks of this, I think it's likely better to have the
>> default 
>> be "secure" and ezjail-admin use the "--insecure" flag as an explicit
>> override. That's the only place I've noticed the need for it although
>> I've not done an extensive search for any other instances in which it
>> might be required,
>>
>>  imb
>>
> The real damage will happen to out-of-tree users.  I think this will
> impact our software updater for $work for example, and it has to work
> with both old and new versions of libarchive, and now the new version
> will require a flag that the old version will reject as unknown.
>
> Ick.
>
> -- Ian
>
>> On 5/14/2016 3:46 PM, Tim Kientzle wrote:
>>> A little history about this issue:
>>>
>>> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304
>>>
>>>
 On May 14, 2016, at 12:17 PM, Tim Kientzle 
 wrote:

 Many people consider the traditional behavior to be a security
 risk, which is why this was changed.

 FreeBSD is welcome to make --insecure the default on FreeBSD, but
 I'm reluctant to do that in the upstream libarchive project.

 Tim


> On May 12, 2016, at 8:54 AM, Martin Matuska 
> wrote:
>
> Looks like we have to remove line #174 from cpio/cpio.c:
> cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS;
>
> This breaks traditional cpio behavior.
>
> Quoting Martin Matuska :
>
>> Hi Michael, I have looked at the source and this is an
>> intended change in 3.2.0.
>>
>> An absolute path security check was added, cpio refuses to
>> extract or copy over absolute paths. To do this anyway the "-
>> -insecure" flag must be used.
>>
>> Here is the commit:
>> https://github.com/libarchive/libarchive/commit/59357157706d4
>> 7c365b2227739e17daba3607526
>>
>> Quoting Michael Butler :
>>
>>> It seems that today's libarchive update breaks cpio's
>>> behaviour:
>>>
>>> sudo ezjail-admin update -i -s /usr/src
>>>
>>> [ .. ]
>>>
>>> cd /usr/src/etc/..; install -o root -g wheel -m 444 
>>>  COPYRIGHT
>>> /usr/local/jails/fulljail/
>>> install -o root -g wheel -m 444
>>> /usr/src/etc/../sys/i386/conf/GENERIC.hints
>>> /usr/local/jails/fulljail/boot/device.hints
>>> /usr/local/jails/basejail/bincpio: bin: Path is absolute:
>>> Unknown error: -1
>>>
>>> /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is
>>> absolute:
>>> Unknown error: -1
>>>
>>> /usr/local/jails/basejail/bin/chflagscpio: bin/chflags:
>>> Path is
>>> absolute: Unknown error: -1
>>>
>>> /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is
>>> absolute:
>>> Unknown error: -1
>>>
>>> /usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is
>>> absolute:
>>> Unknown error: -1
>>>
>>> /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is
>>> absolute: Unknown
>>> error: -1
>>>
>>> /usr/local/jails/basejail/bin/datecpio: bin/date: Path is
>>> absolute:
>>> Unknown error: -1
>>>
>>> /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is
>>> absolute: Unknown
>>> error: -1
>>>
>>> /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is
>>> absolute: Unknown
>>> error: -1
>>>
>>> /usr/local/jails/basejail/bin/domainnamecpio:
>>> bin/domainname: Path is
>>> absolute: Unknown error: -1
>>> [ .. etc. .. ]
>>
>>
>> Martin Matuska
>> FreeBSD committer
>> http://blog.vx.sk
>
>
> Martin Matuska
> FreeBSD committer
> http://blog.vx.sk
>> ___
>> freebsd-current@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-current
>> To unsubscribe, send any mail to "
>> freebsd-current-unsubscr...@freebsd.org"

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: libarchive update SVN r299529 breaks "ezjail update"

2016-05-14 Thread Ian Lepore

On Sat, 2016-05-14 at 15:51 -0400, michael butler wrote:
>  From the looks of this, I think it's likely better to have the
> default 
> be "secure" and ezjail-admin use the "--insecure" flag as an explicit
> override. That's the only place I've noticed the need for it although
> I've not done an extensive search for any other instances in which it
> might be required,
> 
>   imb
> 

The real damage will happen to out-of-tree users.  I think this will
impact our software updater for $work for example, and it has to work
with both old and new versions of libarchive, and now the new version
will require a flag that the old version will reject as unknown.

Ick.

-- Ian

> On 5/14/2016 3:46 PM, Tim Kientzle wrote:
> > A little history about this issue:
> > 
> > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304
> > 
> > 
> > > On May 14, 2016, at 12:17 PM, Tim Kientzle 
> > > wrote:
> > > 
> > > Many people consider the traditional behavior to be a security
> > > risk, which is why this was changed.
> > > 
> > > FreeBSD is welcome to make --insecure the default on FreeBSD, but
> > > I'm reluctant to do that in the upstream libarchive project.
> > > 
> > > Tim
> > > 
> > > 
> > > > On May 12, 2016, at 8:54 AM, Martin Matuska 
> > > > wrote:
> > > > 
> > > > Looks like we have to remove line #174 from cpio/cpio.c:
> > > > cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS;
> > > > 
> > > > This breaks traditional cpio behavior.
> > > > 
> > > > Quoting Martin Matuska :
> > > > 
> > > > > Hi Michael, I have looked at the source and this is an
> > > > > intended change in 3.2.0.
> > > > > 
> > > > > An absolute path security check was added, cpio refuses to
> > > > > extract or copy over absolute paths. To do this anyway the "-
> > > > > -insecure" flag must be used.
> > > > > 
> > > > > Here is the commit:
> > > > > https://github.com/libarchive/libarchive/commit/59357157706d4
> > > > > 7c365b2227739e17daba3607526
> > > > > 
> > > > > Quoting Michael Butler :
> > > > > 
> > > > > > It seems that today's libarchive update breaks cpio's
> > > > > > behaviour:
> > > > > > 
> > > > > > sudo ezjail-admin update -i -s /usr/src
> > > > > > 
> > > > > > [ .. ]
> > > > > > 
> > > > > > cd /usr/src/etc/..; install -o root -g wheel -m 444 
> > > > > >  COPYRIGHT
> > > > > > /usr/local/jails/fulljail/
> > > > > > install -o root -g wheel -m 444
> > > > > > /usr/src/etc/../sys/i386/conf/GENERIC.hints
> > > > > > /usr/local/jails/fulljail/boot/device.hints
> > > > > > /usr/local/jails/basejail/bincpio: bin: Path is absolute:
> > > > > > Unknown error: -1
> > > > > > 
> > > > > > /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is
> > > > > > absolute:
> > > > > > Unknown error: -1
> > > > > > 
> > > > > > /usr/local/jails/basejail/bin/chflagscpio: bin/chflags:
> > > > > > Path is
> > > > > > absolute: Unknown error: -1
> > > > > > 
> > > > > > /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is
> > > > > > absolute:
> > > > > > Unknown error: -1
> > > > > > 
> > > > > > /usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is
> > > > > > absolute:
> > > > > > Unknown error: -1
> > > > > > 
> > > > > > /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is
> > > > > > absolute: Unknown
> > > > > > error: -1
> > > > > > 
> > > > > > /usr/local/jails/basejail/bin/datecpio: bin/date: Path is
> > > > > > absolute:
> > > > > > Unknown error: -1
> > > > > > 
> > > > > > /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is
> > > > > > absolute: Unknown
> > > > > > error: -1
> > > > > > 
> > > > > > /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is
> > > > > > absolute: Unknown
> > > > > > error: -1
> > > > > > 
> > > > > > /usr/local/jails/basejail/bin/domainnamecpio:
> > > > > > bin/domainname: Path is
> > > > > > absolute: Unknown error: -1
> > > > > > [ .. etc. .. ]
> > > > > 
> > > > > 
> > > > > 
> > > > > Martin Matuska
> > > > > FreeBSD committer
> > > > > http://blog.vx.sk
> > > > 
> > > > 
> > > > 
> > > > Martin Matuska
> > > > FreeBSD committer
> > > > http://blog.vx.sk
> > > 
> > 
> ___
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "
> freebsd-current-unsubscr...@freebsd.org"
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: libarchive update SVN r299529 breaks "ezjail update"

2016-05-14 Thread michael butler

From the looks of this, I think it's likely better to have the default 
be "secure" and ezjail-admin use the "--insecure" flag as an explicit 
override. That's the only place I've noticed the need for it although 
I've not done an extensive search for any other instances in which it 
might be required,


imb

On 5/14/2016 3:46 PM, Tim Kientzle wrote:

A little history about this issue:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304



On May 14, 2016, at 12:17 PM, Tim Kientzle  wrote:

Many people consider the traditional behavior to be a security risk, which is 
why this was changed.

FreeBSD is welcome to make --insecure the default on FreeBSD, but I'm reluctant 
to do that in the upstream libarchive project.

Tim



On May 12, 2016, at 8:54 AM, Martin Matuska  wrote:

Looks like we have to remove line #174 from cpio/cpio.c:
cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS;

This breaks traditional cpio behavior.

Quoting Martin Matuska :


Hi Michael, I have looked at the source and this is an intended change in 3.2.0.

An absolute path security check was added, cpio refuses to extract or copy over absolute 
paths. To do this anyway the "--insecure" flag must be used.

Here is the commit:
https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526

Quoting Michael Butler :


It seems that today's libarchive update breaks cpio's behaviour:

sudo ezjail-admin update -i -s /usr/src

[ .. ]

cd /usr/src/etc/..; install -o root -g wheel -m 444  COPYRIGHT
/usr/local/jails/fulljail/
install -o root -g wheel -m 444
/usr/src/etc/../sys/i386/conf/GENERIC.hints
/usr/local/jails/fulljail/boot/device.hints
/usr/local/jails/basejail/bincpio: bin: Path is absolute: Unknown error: -1

/usr/local/jails/basejail/bin/catcpio: bin/cat: Path is absolute:
Unknown error: -1

/usr/local/jails/basejail/bin/chflagscpio: bin/chflags: Path is
absolute: Unknown error: -1

/usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is absolute:
Unknown error: -1

/usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is absolute:
Unknown error: -1

/usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is absolute: Unknown
error: -1

/usr/local/jails/basejail/bin/datecpio: bin/date: Path is absolute:
Unknown error: -1

/usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is absolute: Unknown
error: -1

/usr/local/jails/basejail/bin/dfcpio: bin/df: Path is absolute: Unknown
error: -1

/usr/local/jails/basejail/bin/domainnamecpio: bin/domainname: Path is
absolute: Unknown error: -1
[ .. etc. .. ]




Martin Matuska
FreeBSD committer
http://blog.vx.sk




Martin Matuska
FreeBSD committer
http://blog.vx.sk





___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: libarchive update SVN r299529 breaks "ezjail update"

2016-05-14 Thread Tim Kientzle

Many people consider the traditional behavior to be a security risk, which is 
why this was changed.

FreeBSD is welcome to make --insecure the default on FreeBSD, but I'm reluctant 
to do that in the upstream libarchive project.

Tim


> On May 12, 2016, at 8:54 AM, Martin Matuska  wrote:
> 
> Looks like we have to remove line #174 from cpio/cpio.c:
> cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS;
> 
> This breaks traditional cpio behavior.
> 
> Quoting Martin Matuska :
> 
>> Hi Michael, I have looked at the source and this is an intended change in 
>> 3.2.0.
>> 
>> An absolute path security check was added, cpio refuses to extract or copy 
>> over absolute paths. To do this anyway the "--insecure" flag must be used.
>> 
>> Here is the commit:
>> https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526
>> 
>> Quoting Michael Butler :
>> 
>>> It seems that today's libarchive update breaks cpio's behaviour:
>>> 
>>> sudo ezjail-admin update -i -s /usr/src
>>> 
>>> [ .. ]
>>> 
>>> cd /usr/src/etc/..; install -o root -g wheel -m 444  COPYRIGHT
>>> /usr/local/jails/fulljail/
>>> install -o root -g wheel -m 444
>>> /usr/src/etc/../sys/i386/conf/GENERIC.hints
>>> /usr/local/jails/fulljail/boot/device.hints
>>> /usr/local/jails/basejail/bincpio: bin: Path is absolute: Unknown error: -1
>>> 
>>> /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is absolute:
>>> Unknown error: -1
>>> 
>>> /usr/local/jails/basejail/bin/chflagscpio: bin/chflags: Path is
>>> absolute: Unknown error: -1
>>> 
>>> /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is absolute:
>>> Unknown error: -1
>>> 
>>> /usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is absolute:
>>> Unknown error: -1
>>> 
>>> /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is absolute: Unknown
>>> error: -1
>>> 
>>> /usr/local/jails/basejail/bin/datecpio: bin/date: Path is absolute:
>>> Unknown error: -1
>>> 
>>> /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is absolute: Unknown
>>> error: -1
>>> 
>>> /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is absolute: Unknown
>>> error: -1
>>> 
>>> /usr/local/jails/basejail/bin/domainnamecpio: bin/domainname: Path is
>>> absolute: Unknown error: -1
>>> [ .. etc. .. ]
>> 
>> 
>> 
>> Martin Matuska
>> FreeBSD committer
>> http://blog.vx.sk
> 
> 
> 
> Martin Matuska
> FreeBSD committer
> http://blog.vx.sk

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: libarchive update SVN r299529 breaks "ezjail update"

2016-05-14 Thread Tim Kientzle

A little history about this issue:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304


> On May 14, 2016, at 12:17 PM, Tim Kientzle  wrote:
> 
> Many people consider the traditional behavior to be a security risk, which is 
> why this was changed.
> 
> FreeBSD is welcome to make --insecure the default on FreeBSD, but I'm 
> reluctant to do that in the upstream libarchive project.
> 
> Tim
> 
> 
>> On May 12, 2016, at 8:54 AM, Martin Matuska  wrote:
>> 
>> Looks like we have to remove line #174 from cpio/cpio.c:
>> cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS;
>> 
>> This breaks traditional cpio behavior.
>> 
>> Quoting Martin Matuska :
>> 
>>> Hi Michael, I have looked at the source and this is an intended change in 
>>> 3.2.0.
>>> 
>>> An absolute path security check was added, cpio refuses to extract or copy 
>>> over absolute paths. To do this anyway the "--insecure" flag must be used.
>>> 
>>> Here is the commit:
>>> https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526
>>> 
>>> Quoting Michael Butler :
>>> 
 It seems that today's libarchive update breaks cpio's behaviour:
 
 sudo ezjail-admin update -i -s /usr/src
 
 [ .. ]
 
 cd /usr/src/etc/..; install -o root -g wheel -m 444  COPYRIGHT
 /usr/local/jails/fulljail/
 install -o root -g wheel -m 444
 /usr/src/etc/../sys/i386/conf/GENERIC.hints
 /usr/local/jails/fulljail/boot/device.hints
 /usr/local/jails/basejail/bincpio: bin: Path is absolute: Unknown error: -1
 
 /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is absolute:
 Unknown error: -1
 
 /usr/local/jails/basejail/bin/chflagscpio: bin/chflags: Path is
 absolute: Unknown error: -1
 
 /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is absolute:
 Unknown error: -1
 
 /usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is absolute:
 Unknown error: -1
 
 /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is absolute: Unknown
 error: -1
 
 /usr/local/jails/basejail/bin/datecpio: bin/date: Path is absolute:
 Unknown error: -1
 
 /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is absolute: Unknown
 error: -1
 
 /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is absolute: Unknown
 error: -1
 
 /usr/local/jails/basejail/bin/domainnamecpio: bin/domainname: Path is
 absolute: Unknown error: -1
 [ .. etc. .. ]
>>> 
>>> 
>>> 
>>> Martin Matuska
>>> FreeBSD committer
>>> http://blog.vx.sk
>> 
>> 
>> 
>> Martin Matuska
>> FreeBSD committer
>> http://blog.vx.sk
> 

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: libarchive update SVN r299529 breaks "ezjail update"

2016-05-12 Thread Martin Matuska


 Looks like we have to remove line #174 from cpio/cpio.c:
cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS;

This breaks traditional cpio behavior.

Quoting Martin Matuska :

Hi Michael, I have looked at the source and this is an intended  
change in 3.2.0.


An absolute path security check was added, cpio refuses to extract  
or copy over absolute paths. To do this anyway the "--insecure" flag  
must be used.


Here is the commit:
https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526

Quoting Michael Butler :


It seems that today's libarchive update breaks cpio's behaviour:

sudo ezjail-admin update -i -s /usr/src

[ .. ]

cd /usr/src/etc/..; install -o root -g wheel -m 444  COPYRIGHT
/usr/local/jails/fulljail/
install -o root -g wheel -m 444
/usr/src/etc/../sys/i386/conf/GENERIC.hints
/usr/local/jails/fulljail/boot/device.hints
/usr/local/jails/basejail/bincpio: bin: Path is absolute: Unknown error: -1

/usr/local/jails/basejail/bin/catcpio: bin/cat: Path is absolute:
Unknown error: -1

/usr/local/jails/basejail/bin/chflagscpio: bin/chflags: Path is
absolute: Unknown error: -1

/usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is absolute:
Unknown error: -1

/usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is absolute:
Unknown error: -1

/usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is absolute: Unknown
error: -1

/usr/local/jails/basejail/bin/datecpio: bin/date: Path is absolute:
Unknown error: -1

/usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is absolute: Unknown
error: -1

/usr/local/jails/basejail/bin/dfcpio: bin/df: Path is absolute: Unknown
error: -1

/usr/local/jails/basejail/bin/domainnamecpio: bin/domainname: Path is
absolute: Unknown error: -1
[ .. etc. .. ]




-
Martin Matuska
FreeBSD committer
http://blog.vx.sk

--
Martin Matuska
FreeBSD committer
http://blog.vx.sk
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: libarchive update SVN r299529 breaks "ezjail update"

2016-05-12 Thread Martin Matuska

 Hi Michael, I have looked at the source and this is an intended  
change in 3.2.0.


An absolute path security check was added, cpio refuses to extract or  
copy over absolute paths. To do this anyway the "--insecure" flag must  
be used.


Here is the commit:
https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526

Quoting Michael Butler :


It seems that today's libarchive update breaks cpio's behaviour:

sudo ezjail-admin update -i -s /usr/src

[ .. ]

cd /usr/src/etc/..; install -o root -g wheel -m 444  COPYRIGHT
/usr/local/jails/fulljail/
install -o root -g wheel -m 444
/usr/src/etc/../sys/i386/conf/GENERIC.hints
/usr/local/jails/fulljail/boot/device.hints
/usr/local/jails/basejail/bincpio: bin: Path is absolute: Unknown error: -1

/usr/local/jails/basejail/bin/catcpio: bin/cat: Path is absolute:
Unknown error: -1

/usr/local/jails/basejail/bin/chflagscpio: bin/chflags: Path is
absolute: Unknown error: -1

/usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is absolute:
Unknown error: -1

/usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is absolute:
Unknown error: -1

/usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is absolute: Unknown
error: -1

/usr/local/jails/basejail/bin/datecpio: bin/date: Path is absolute:
Unknown error: -1

/usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is absolute: Unknown
error: -1

/usr/local/jails/basejail/bin/dfcpio: bin/df: Path is absolute: Unknown
error: -1

/usr/local/jails/basejail/bin/domainnamecpio: bin/domainname: Path is
absolute: Unknown error: -1
[ .. etc. .. ]

--
Martin Matuska
FreeBSD committer
http://blog.vx.sk
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: libarchive update SVN r299529 breaks "ezjail update"

2016-05-12 Thread Tim Kientzle

If you could please open an issue at

   http://github.com/libarchive/libarchive

and include as much detail as you can, I’d appreciate it.

Cheers,

Tim


> On May 12, 2016, at 7:15 AM, Michael Butler  
> wrote:
> 
> It seems that today's libarchive update breaks cpio's behaviour:
> 
> sudo ezjail-admin update -i -s /usr/src
> 
> [ .. ]
> 
> cd /usr/src/etc/..; install -o root -g wheel -m 444  COPYRIGHT
> /usr/local/jails/fulljail/
> install -o root -g wheel -m 444
> /usr/src/etc/../sys/i386/conf/GENERIC.hints
> /usr/local/jails/fulljail/boot/device.hints
> /usr/local/jails/basejail/bincpio: bin: Path is absolute: Unknown error: -1
> 
> /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is absolute:
> Unknown error: -1
> 
> /usr/local/jails/basejail/bin/chflagscpio: bin/chflags: Path is
> absolute: Unknown error: -1
> 
> /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is absolute:
> Unknown error: -1
> 
> /usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is absolute:
> Unknown error: -1
> 
> /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is absolute: Unknown
> error: -1
> 
> /usr/local/jails/basejail/bin/datecpio: bin/date: Path is absolute:
> Unknown error: -1
> 
> /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is absolute: Unknown
> error: -1
> 
> /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is absolute: Unknown
> error: -1
> 
> /usr/local/jails/basejail/bin/domainnamecpio: bin/domainname: Path is
> absolute: Unknown error: -1
> 
> [ .. etc. .. ]
> ___
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

libarchive update SVN r299529 breaks "ezjail update"

2016-05-12 Thread Michael Butler

It seems that today's libarchive update breaks cpio's behaviour:

sudo ezjail-admin update -i -s /usr/src

 [ .. ]

cd /usr/src/etc/..; install -o root -g wheel -m 444  COPYRIGHT
/usr/local/jails/fulljail/
install -o root -g wheel -m 444
/usr/src/etc/../sys/i386/conf/GENERIC.hints
/usr/local/jails/fulljail/boot/device.hints
/usr/local/jails/basejail/bincpio: bin: Path is absolute: Unknown error: -1

/usr/local/jails/basejail/bin/catcpio: bin/cat: Path is absolute:
Unknown error: -1

/usr/local/jails/basejail/bin/chflagscpio: bin/chflags: Path is
absolute: Unknown error: -1

/usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is absolute:
Unknown error: -1

/usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is absolute:
Unknown error: -1

/usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is absolute: Unknown
error: -1

/usr/local/jails/basejail/bin/datecpio: bin/date: Path is absolute:
Unknown error: -1

/usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is absolute: Unknown
error: -1

/usr/local/jails/basejail/bin/dfcpio: bin/df: Path is absolute: Unknown
error: -1

/usr/local/jails/basejail/bin/domainnamecpio: bin/domainname: Path is
absolute: Unknown error: -1

 [ .. etc. .. ]
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: libarchive update SVN r299529 breaks "ezjail update"

Re: libarchive update SVN r299529 breaks "ezjail update"

Re: libarchive update SVN r299529 breaks "ezjail update"

Re: libarchive update SVN r299529 breaks "ezjail update"

Re: libarchive update SVN r299529 breaks "ezjail update"

Re: libarchive update SVN r299529 breaks "ezjail update"

Re: libarchive update SVN r299529 breaks "ezjail update"

Re: libarchive update SVN r299529 breaks "ezjail update"

Re: libarchive update SVN r299529 breaks "ezjail update"

Re: libarchive update SVN r299529 breaks "ezjail update"

Re: libarchive update SVN r299529 breaks "ezjail update"

Re: libarchive update SVN r299529 breaks "ezjail update"

Re: libarchive update SVN r299529 breaks "ezjail update"

libarchive update SVN r299529 breaks "ezjail update"

14 matches

Site Navigation

Mail list logo

Footer information