Re: libarchive update SVN r299529 breaks "ezjail update"
Someone just pointed out that the change also affected cpio's -p pass-through mode. That was not intentional. I just accepted Martin's pull request to revert the behavior for -p mode. Cheers, Tim > On May 15, 2016, at 9:16 AM, Ian Lepore wrote: > > On Sun, 2016-05-15 at 01:57 +0200, Martin Matuska wrote: >> That switch is "--insecure" and is supported in all libarchive >> versions >> freebsd ever used. >> > > Oh, well that will make handling the new version easier. It doesn't > change the fact that the new libarchive stuff will break long-working > existing software, but at least it'll be easy to fix. > > -- Ian > >> >> On 15.05.2016 01:36, Ngie Cooper (yaneurabeya) wrote: On May 14, 2016, at 16:29, Martin Matuska wrote: Ian, we are here talking about cpio, not libarchive. The flag in libarchive is not active by default. On 14.05.2016 22:08, Ian Lepore wrote: > The real damage will happen to out-of-tree users. I think this > will > impact our software updater for $work for example, and it has > to work > with both old and new versions of libarchive, and now the new > version > will require a flag that the old version will reject as > unknown. > > Ick. >>> Ian’s comment was valid.. cpio doesn’t recognize the new switch on >>> older versions, so something like cpio `cpio --help | grep -- >>> switch && echo switch` would need to be employed everywhere for >>> backwards compatibility — ew. >>> Thanks, >>> -Ngie >> >> ___ >> freebsd-current@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-current >> To unsubscribe, send any mail to " >> freebsd-current-unsubscr...@freebsd.org" ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: libarchive update SVN r299529 breaks "ezjail update"
On Sun, 2016-05-15 at 01:57 +0200, Martin Matuska wrote: > That switch is "--insecure" and is supported in all libarchive > versions > freebsd ever used. > Oh, well that will make handling the new version easier. It doesn't change the fact that the new libarchive stuff will break long-working existing software, but at least it'll be easy to fix. -- Ian > > On 15.05.2016 01:36, Ngie Cooper (yaneurabeya) wrote: > > > On May 14, 2016, at 16:29, Martin Matuska wrote: > > > > > > Ian, we are here talking about cpio, not libarchive. The flag in > > > libarchive is not active by default. > > > > > > On 14.05.2016 22:08, Ian Lepore wrote: > > > > The real damage will happen to out-of-tree users. I think this > > > > will > > > > impact our software updater for $work for example, and it has > > > > to work > > > > with both old and new versions of libarchive, and now the new > > > > version > > > > will require a flag that the old version will reject as > > > > unknown. > > > > > > > > Ick. > > Ian’s comment was valid.. cpio doesn’t recognize the new switch on > > older versions, so something like cpio `cpio --help | grep -- > > switch && echo switch` would need to be employed everywhere for > > backwards compatibility — ew. > > Thanks, > > -Ngie > > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to " > freebsd-current-unsubscr...@freebsd.org" > ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: libarchive update SVN r299529 breaks "ezjail update"
That switch is "--insecure" and is supported in all libarchive versions freebsd ever used. On 15.05.2016 01:36, Ngie Cooper (yaneurabeya) wrote: >> On May 14, 2016, at 16:29, Martin Matuska wrote: >> >> Ian, we are here talking about cpio, not libarchive. The flag in >> libarchive is not active by default. >> >> On 14.05.2016 22:08, Ian Lepore wrote: >>> The real damage will happen to out-of-tree users. I think this will >>> impact our software updater for $work for example, and it has to work >>> with both old and new versions of libarchive, and now the new version >>> will require a flag that the old version will reject as unknown. >>> >>> Ick. > Ian’s comment was valid.. cpio doesn’t recognize the new switch on older > versions, so something like cpio `cpio --help | grep -- switch && echo > switch` would need to be employed everywhere for backwards compatibility — ew. > Thanks, > -Ngie ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: libarchive update SVN r299529 breaks "ezjail update"
> On May 14, 2016, at 16:29, Martin Matuska wrote: > > Ian, we are here talking about cpio, not libarchive. The flag in > libarchive is not active by default. > > On 14.05.2016 22:08, Ian Lepore wrote: >> The real damage will happen to out-of-tree users. I think this will >> impact our software updater for $work for example, and it has to work >> with both old and new versions of libarchive, and now the new version >> will require a flag that the old version will reject as unknown. >> >> Ick. Ian’s comment was valid.. cpio doesn’t recognize the new switch on older versions, so something like cpio `cpio --help | grep -- switch && echo switch` would need to be employed everywhere for backwards compatibility — ew. Thanks, -Ngie ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: libarchive update SVN r299529 breaks "ezjail update"
On Sun, 2016-05-15 at 01:29 +0200, Martin Matuska wrote: > Ian, we are here talking about cpio, not libarchive. The flag in > libarchive is not active by default. > Yes. We use cpio for filesystem images, for historical reasons (such as cpio's ability to encode device major/minor node numbers and other stuff that doesn't really matter anymore, but the format is kinda cast in stone now). -- Ian > > On 14.05.2016 22:08, Ian Lepore wrote: > > On Sat, 2016-05-14 at 15:51 -0400, michael butler wrote: > > > From the looks of this, I think it's likely better to have the > > > default > > > be "secure" and ezjail-admin use the "--insecure" flag as an > > > explicit > > > override. That's the only place I've noticed the need for it > > > although > > > I've not done an extensive search for any other instances in > > > which it > > > might be required, > > > > > > imb > > > > > The real damage will happen to out-of-tree users. I think this > > will > > impact our software updater for $work for example, and it has to > > work > > with both old and new versions of libarchive, and now the new > > version > > will require a flag that the old version will reject as unknown. > > > > Ick. > > > > -- Ian > > > > > On 5/14/2016 3:46 PM, Tim Kientzle wrote: > > > > A little history about this issue: > > > > > > > > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304 > > > > > > > > > > > > > On May 14, 2016, at 12:17 PM, Tim Kientzle > > > > > wrote: > > > > > > > > > > Many people consider the traditional behavior to be a > > > > > security > > > > > risk, which is why this was changed. > > > > > > > > > > FreeBSD is welcome to make --insecure the default on FreeBSD, > > > > > but > > > > > I'm reluctant to do that in the upstream libarchive project. > > > > > > > > > > Tim > > > > > > > > > > > > > > > > On May 12, 2016, at 8:54 AM, Martin Matuska > > > > > > > > > > > > wrote: > > > > > > > > > > > > Looks like we have to remove line #174 from cpio/cpio.c: > > > > > > cpio->extract_flags |= > > > > > > ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS; > > > > > > > > > > > > This breaks traditional cpio behavior. > > > > > > > > > > > > Quoting Martin Matuska : > > > > > > > > > > > > > Hi Michael, I have looked at the source and this is an > > > > > > > intended change in 3.2.0. > > > > > > > > > > > > > > An absolute path security check was added, cpio refuses > > > > > > > to > > > > > > > extract or copy over absolute paths. To do this anyway > > > > > > > the "- > > > > > > > -insecure" flag must be used. > > > > > > > > > > > > > > Here is the commit: > > > > > > > https://github.com/libarchive/libarchive/commit/593571577 > > > > > > > 06d4 > > > > > > > 7c365b2227739e17daba3607526 > > > > > > > > > > > > > > Quoting Michael Butler : > > > > > > > > > > > > > > > It seems that today's libarchive update breaks cpio's > > > > > > > > behaviour: > > > > > > > > > > > > > > > > sudo ezjail-admin update -i -s /usr/src > > > > > > > > > > > > > > > > [ .. ] > > > > > > > > > > > > > > > > cd /usr/src/etc/..; install -o root -g wheel -m 444 > > > > > > > > COPYRIGHT > > > > > > > > /usr/local/jails/fulljail/ > > > > > > > > install -o root -g wheel -m 444 > > > > > > > > /usr/src/etc/../sys/i386/conf/GENERIC.hints > > > > > > > > /usr/local/jails/fulljail/boot/device.hints > > > > > > > > /usr/local/jails/basejail/bincpio: bin: Path is > > > > > > > > absolute: > > > > > > > > Unknown error: -1 > > > > > > > > > > > > > > > > /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is > > > > > > > > absolute: > > > > > > > > Unknown error: -1 > > > > > > > > > > > > > > > > /usr/local/jails/basejail/bin/chflagscpio: bin/chflags: > > > > > > > > Path is > > > > > > > > absolute: Unknown error: -1 > > > > > > > > > > > > > > > > /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path > > > > > > > > is > > > > > > > > absolute: > > > > > > > > Unknown error: -1 > > > > > > > > > > > > > > > > /usr/local/jails/basejail/bin/chmodcpio: bin/chmod: > > > > > > > > Path is > > > > > > > > absolute: > > > > > > > > Unknown error: -1 > > > > > > > > > > > > > > > > /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is > > > > > > > > absolute: Unknown > > > > > > > > error: -1 > > > > > > > > > > > > > > > > /usr/local/jails/basejail/bin/datecpio: bin/date: Path > > > > > > > > is > > > > > > > > absolute: > > > > > > > > Unknown error: -1 > > > > > > > > > > > > > > > > /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is > > > > > > > > absolute: Unknown > > > > > > > > error: -1 > > > > > > > > > > > > > > > > /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is > > > > > > > > absolute: Unknown > > > > > > > > error: -1 > > > > > > > > > > > > > > > > /usr/local/jails/basejail/bin/domainnamecpio: > > > > > > > > bin/domainname: Path is > > > > > > > > absolute: Unknown error: -1 > > > > > > > > [ .. etc. .. ] > > > > > > > > > > > > > > > > > > > > > Martin Matuska > > > > > > > F
Re: libarchive update SVN r299529 breaks "ezjail update"
Ian, we are here talking about cpio, not libarchive. The flag in libarchive is not active by default. On 14.05.2016 22:08, Ian Lepore wrote: > On Sat, 2016-05-14 at 15:51 -0400, michael butler wrote: >> From the looks of this, I think it's likely better to have the >> default >> be "secure" and ezjail-admin use the "--insecure" flag as an explicit >> override. That's the only place I've noticed the need for it although >> I've not done an extensive search for any other instances in which it >> might be required, >> >> imb >> > The real damage will happen to out-of-tree users. I think this will > impact our software updater for $work for example, and it has to work > with both old and new versions of libarchive, and now the new version > will require a flag that the old version will reject as unknown. > > Ick. > > -- Ian > >> On 5/14/2016 3:46 PM, Tim Kientzle wrote: >>> A little history about this issue: >>> >>> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304 >>> >>> On May 14, 2016, at 12:17 PM, Tim Kientzle wrote: Many people consider the traditional behavior to be a security risk, which is why this was changed. FreeBSD is welcome to make --insecure the default on FreeBSD, but I'm reluctant to do that in the upstream libarchive project. Tim > On May 12, 2016, at 8:54 AM, Martin Matuska > wrote: > > Looks like we have to remove line #174 from cpio/cpio.c: > cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS; > > This breaks traditional cpio behavior. > > Quoting Martin Matuska : > >> Hi Michael, I have looked at the source and this is an >> intended change in 3.2.0. >> >> An absolute path security check was added, cpio refuses to >> extract or copy over absolute paths. To do this anyway the "- >> -insecure" flag must be used. >> >> Here is the commit: >> https://github.com/libarchive/libarchive/commit/59357157706d4 >> 7c365b2227739e17daba3607526 >> >> Quoting Michael Butler : >> >>> It seems that today's libarchive update breaks cpio's >>> behaviour: >>> >>> sudo ezjail-admin update -i -s /usr/src >>> >>> [ .. ] >>> >>> cd /usr/src/etc/..; install -o root -g wheel -m 444 >>> COPYRIGHT >>> /usr/local/jails/fulljail/ >>> install -o root -g wheel -m 444 >>> /usr/src/etc/../sys/i386/conf/GENERIC.hints >>> /usr/local/jails/fulljail/boot/device.hints >>> /usr/local/jails/basejail/bincpio: bin: Path is absolute: >>> Unknown error: -1 >>> >>> /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is >>> absolute: >>> Unknown error: -1 >>> >>> /usr/local/jails/basejail/bin/chflagscpio: bin/chflags: >>> Path is >>> absolute: Unknown error: -1 >>> >>> /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is >>> absolute: >>> Unknown error: -1 >>> >>> /usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is >>> absolute: >>> Unknown error: -1 >>> >>> /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is >>> absolute: Unknown >>> error: -1 >>> >>> /usr/local/jails/basejail/bin/datecpio: bin/date: Path is >>> absolute: >>> Unknown error: -1 >>> >>> /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is >>> absolute: Unknown >>> error: -1 >>> >>> /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is >>> absolute: Unknown >>> error: -1 >>> >>> /usr/local/jails/basejail/bin/domainnamecpio: >>> bin/domainname: Path is >>> absolute: Unknown error: -1 >>> [ .. etc. .. ] >> >> >> Martin Matuska >> FreeBSD committer >> http://blog.vx.sk > > > Martin Matuska > FreeBSD committer > http://blog.vx.sk >> ___ >> freebsd-current@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-current >> To unsubscribe, send any mail to " >> freebsd-current-unsubscr...@freebsd.org" ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: libarchive update SVN r299529 breaks "ezjail update"
On Sat, 2016-05-14 at 15:51 -0400, michael butler wrote: > From the looks of this, I think it's likely better to have the > default > be "secure" and ezjail-admin use the "--insecure" flag as an explicit > override. That's the only place I've noticed the need for it although > I've not done an extensive search for any other instances in which it > might be required, > > imb > The real damage will happen to out-of-tree users. I think this will impact our software updater for $work for example, and it has to work with both old and new versions of libarchive, and now the new version will require a flag that the old version will reject as unknown. Ick. -- Ian > On 5/14/2016 3:46 PM, Tim Kientzle wrote: > > A little history about this issue: > > > > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304 > > > > > > > On May 14, 2016, at 12:17 PM, Tim Kientzle > > > wrote: > > > > > > Many people consider the traditional behavior to be a security > > > risk, which is why this was changed. > > > > > > FreeBSD is welcome to make --insecure the default on FreeBSD, but > > > I'm reluctant to do that in the upstream libarchive project. > > > > > > Tim > > > > > > > > > > On May 12, 2016, at 8:54 AM, Martin Matuska > > > > wrote: > > > > > > > > Looks like we have to remove line #174 from cpio/cpio.c: > > > > cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS; > > > > > > > > This breaks traditional cpio behavior. > > > > > > > > Quoting Martin Matuska : > > > > > > > > > Hi Michael, I have looked at the source and this is an > > > > > intended change in 3.2.0. > > > > > > > > > > An absolute path security check was added, cpio refuses to > > > > > extract or copy over absolute paths. To do this anyway the "- > > > > > -insecure" flag must be used. > > > > > > > > > > Here is the commit: > > > > > https://github.com/libarchive/libarchive/commit/59357157706d4 > > > > > 7c365b2227739e17daba3607526 > > > > > > > > > > Quoting Michael Butler : > > > > > > > > > > > It seems that today's libarchive update breaks cpio's > > > > > > behaviour: > > > > > > > > > > > > sudo ezjail-admin update -i -s /usr/src > > > > > > > > > > > > [ .. ] > > > > > > > > > > > > cd /usr/src/etc/..; install -o root -g wheel -m 444 > > > > > > COPYRIGHT > > > > > > /usr/local/jails/fulljail/ > > > > > > install -o root -g wheel -m 444 > > > > > > /usr/src/etc/../sys/i386/conf/GENERIC.hints > > > > > > /usr/local/jails/fulljail/boot/device.hints > > > > > > /usr/local/jails/basejail/bincpio: bin: Path is absolute: > > > > > > Unknown error: -1 > > > > > > > > > > > > /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is > > > > > > absolute: > > > > > > Unknown error: -1 > > > > > > > > > > > > /usr/local/jails/basejail/bin/chflagscpio: bin/chflags: > > > > > > Path is > > > > > > absolute: Unknown error: -1 > > > > > > > > > > > > /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is > > > > > > absolute: > > > > > > Unknown error: -1 > > > > > > > > > > > > /usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is > > > > > > absolute: > > > > > > Unknown error: -1 > > > > > > > > > > > > /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is > > > > > > absolute: Unknown > > > > > > error: -1 > > > > > > > > > > > > /usr/local/jails/basejail/bin/datecpio: bin/date: Path is > > > > > > absolute: > > > > > > Unknown error: -1 > > > > > > > > > > > > /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is > > > > > > absolute: Unknown > > > > > > error: -1 > > > > > > > > > > > > /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is > > > > > > absolute: Unknown > > > > > > error: -1 > > > > > > > > > > > > /usr/local/jails/basejail/bin/domainnamecpio: > > > > > > bin/domainname: Path is > > > > > > absolute: Unknown error: -1 > > > > > > [ .. etc. .. ] > > > > > > > > > > > > > > > > > > > > Martin Matuska > > > > > FreeBSD committer > > > > > http://blog.vx.sk > > > > > > > > > > > > > > > > Martin Matuska > > > > FreeBSD committer > > > > http://blog.vx.sk > > > > > > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to " > freebsd-current-unsubscr...@freebsd.org" ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: libarchive update SVN r299529 breaks "ezjail update"
From the looks of this, I think it's likely better to have the default be "secure" and ezjail-admin use the "--insecure" flag as an explicit override. That's the only place I've noticed the need for it although I've not done an extensive search for any other instances in which it might be required, imb On 5/14/2016 3:46 PM, Tim Kientzle wrote: A little history about this issue: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304 On May 14, 2016, at 12:17 PM, Tim Kientzle wrote: Many people consider the traditional behavior to be a security risk, which is why this was changed. FreeBSD is welcome to make --insecure the default on FreeBSD, but I'm reluctant to do that in the upstream libarchive project. Tim On May 12, 2016, at 8:54 AM, Martin Matuska wrote: Looks like we have to remove line #174 from cpio/cpio.c: cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS; This breaks traditional cpio behavior. Quoting Martin Matuska : Hi Michael, I have looked at the source and this is an intended change in 3.2.0. An absolute path security check was added, cpio refuses to extract or copy over absolute paths. To do this anyway the "--insecure" flag must be used. Here is the commit: https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526 Quoting Michael Butler : It seems that today's libarchive update breaks cpio's behaviour: sudo ezjail-admin update -i -s /usr/src [ .. ] cd /usr/src/etc/..; install -o root -g wheel -m 444 COPYRIGHT /usr/local/jails/fulljail/ install -o root -g wheel -m 444 /usr/src/etc/../sys/i386/conf/GENERIC.hints /usr/local/jails/fulljail/boot/device.hints /usr/local/jails/basejail/bincpio: bin: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/chflagscpio: bin/chflags: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/datecpio: bin/date: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/domainnamecpio: bin/domainname: Path is absolute: Unknown error: -1 [ .. etc. .. ] Martin Matuska FreeBSD committer http://blog.vx.sk Martin Matuska FreeBSD committer http://blog.vx.sk ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: libarchive update SVN r299529 breaks "ezjail update"
Many people consider the traditional behavior to be a security risk, which is why this was changed. FreeBSD is welcome to make --insecure the default on FreeBSD, but I'm reluctant to do that in the upstream libarchive project. Tim > On May 12, 2016, at 8:54 AM, Martin Matuska wrote: > > Looks like we have to remove line #174 from cpio/cpio.c: > cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS; > > This breaks traditional cpio behavior. > > Quoting Martin Matuska : > >> Hi Michael, I have looked at the source and this is an intended change in >> 3.2.0. >> >> An absolute path security check was added, cpio refuses to extract or copy >> over absolute paths. To do this anyway the "--insecure" flag must be used. >> >> Here is the commit: >> https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526 >> >> Quoting Michael Butler : >> >>> It seems that today's libarchive update breaks cpio's behaviour: >>> >>> sudo ezjail-admin update -i -s /usr/src >>> >>> [ .. ] >>> >>> cd /usr/src/etc/..; install -o root -g wheel -m 444 COPYRIGHT >>> /usr/local/jails/fulljail/ >>> install -o root -g wheel -m 444 >>> /usr/src/etc/../sys/i386/conf/GENERIC.hints >>> /usr/local/jails/fulljail/boot/device.hints >>> /usr/local/jails/basejail/bincpio: bin: Path is absolute: Unknown error: -1 >>> >>> /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is absolute: >>> Unknown error: -1 >>> >>> /usr/local/jails/basejail/bin/chflagscpio: bin/chflags: Path is >>> absolute: Unknown error: -1 >>> >>> /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is absolute: >>> Unknown error: -1 >>> >>> /usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is absolute: >>> Unknown error: -1 >>> >>> /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is absolute: Unknown >>> error: -1 >>> >>> /usr/local/jails/basejail/bin/datecpio: bin/date: Path is absolute: >>> Unknown error: -1 >>> >>> /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is absolute: Unknown >>> error: -1 >>> >>> /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is absolute: Unknown >>> error: -1 >>> >>> /usr/local/jails/basejail/bin/domainnamecpio: bin/domainname: Path is >>> absolute: Unknown error: -1 >>> [ .. etc. .. ] >> >> >> >> Martin Matuska >> FreeBSD committer >> http://blog.vx.sk > > > > Martin Matuska > FreeBSD committer > http://blog.vx.sk ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: libarchive update SVN r299529 breaks "ezjail update"
A little history about this issue: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304 > On May 14, 2016, at 12:17 PM, Tim Kientzle wrote: > > Many people consider the traditional behavior to be a security risk, which is > why this was changed. > > FreeBSD is welcome to make --insecure the default on FreeBSD, but I'm > reluctant to do that in the upstream libarchive project. > > Tim > > >> On May 12, 2016, at 8:54 AM, Martin Matuska wrote: >> >> Looks like we have to remove line #174 from cpio/cpio.c: >> cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS; >> >> This breaks traditional cpio behavior. >> >> Quoting Martin Matuska : >> >>> Hi Michael, I have looked at the source and this is an intended change in >>> 3.2.0. >>> >>> An absolute path security check was added, cpio refuses to extract or copy >>> over absolute paths. To do this anyway the "--insecure" flag must be used. >>> >>> Here is the commit: >>> https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526 >>> >>> Quoting Michael Butler : >>> It seems that today's libarchive update breaks cpio's behaviour: sudo ezjail-admin update -i -s /usr/src [ .. ] cd /usr/src/etc/..; install -o root -g wheel -m 444 COPYRIGHT /usr/local/jails/fulljail/ install -o root -g wheel -m 444 /usr/src/etc/../sys/i386/conf/GENERIC.hints /usr/local/jails/fulljail/boot/device.hints /usr/local/jails/basejail/bincpio: bin: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/chflagscpio: bin/chflags: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/datecpio: bin/date: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/domainnamecpio: bin/domainname: Path is absolute: Unknown error: -1 [ .. etc. .. ] >>> >>> >>> >>> Martin Matuska >>> FreeBSD committer >>> http://blog.vx.sk >> >> >> >> Martin Matuska >> FreeBSD committer >> http://blog.vx.sk > ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: libarchive update SVN r299529 breaks "ezjail update"
Looks like we have to remove line #174 from cpio/cpio.c: cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS; This breaks traditional cpio behavior. Quoting Martin Matuska : Hi Michael, I have looked at the source and this is an intended change in 3.2.0. An absolute path security check was added, cpio refuses to extract or copy over absolute paths. To do this anyway the "--insecure" flag must be used. Here is the commit: https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526 Quoting Michael Butler : It seems that today's libarchive update breaks cpio's behaviour: sudo ezjail-admin update -i -s /usr/src [ .. ] cd /usr/src/etc/..; install -o root -g wheel -m 444 COPYRIGHT /usr/local/jails/fulljail/ install -o root -g wheel -m 444 /usr/src/etc/../sys/i386/conf/GENERIC.hints /usr/local/jails/fulljail/boot/device.hints /usr/local/jails/basejail/bincpio: bin: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/chflagscpio: bin/chflags: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/datecpio: bin/date: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/domainnamecpio: bin/domainname: Path is absolute: Unknown error: -1 [ .. etc. .. ] - Martin Matuska FreeBSD committer http://blog.vx.sk -- Martin Matuska FreeBSD committer http://blog.vx.sk ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: libarchive update SVN r299529 breaks "ezjail update"
Hi Michael, I have looked at the source and this is an intended change in 3.2.0. An absolute path security check was added, cpio refuses to extract or copy over absolute paths. To do this anyway the "--insecure" flag must be used. Here is the commit: https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526 Quoting Michael Butler : It seems that today's libarchive update breaks cpio's behaviour: sudo ezjail-admin update -i -s /usr/src [ .. ] cd /usr/src/etc/..; install -o root -g wheel -m 444 COPYRIGHT /usr/local/jails/fulljail/ install -o root -g wheel -m 444 /usr/src/etc/../sys/i386/conf/GENERIC.hints /usr/local/jails/fulljail/boot/device.hints /usr/local/jails/basejail/bincpio: bin: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/chflagscpio: bin/chflags: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/datecpio: bin/date: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is absolute: Unknown error: -1 /usr/local/jails/basejail/bin/domainnamecpio: bin/domainname: Path is absolute: Unknown error: -1 [ .. etc. .. ] -- Martin Matuska FreeBSD committer http://blog.vx.sk ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: libarchive update SVN r299529 breaks "ezjail update"
If you could please open an issue at http://github.com/libarchive/libarchive and include as much detail as you can, I’d appreciate it. Cheers, Tim > On May 12, 2016, at 7:15 AM, Michael Butler > wrote: > > It seems that today's libarchive update breaks cpio's behaviour: > > sudo ezjail-admin update -i -s /usr/src > > [ .. ] > > cd /usr/src/etc/..; install -o root -g wheel -m 444 COPYRIGHT > /usr/local/jails/fulljail/ > install -o root -g wheel -m 444 > /usr/src/etc/../sys/i386/conf/GENERIC.hints > /usr/local/jails/fulljail/boot/device.hints > /usr/local/jails/basejail/bincpio: bin: Path is absolute: Unknown error: -1 > > /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is absolute: > Unknown error: -1 > > /usr/local/jails/basejail/bin/chflagscpio: bin/chflags: Path is > absolute: Unknown error: -1 > > /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is absolute: > Unknown error: -1 > > /usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is absolute: > Unknown error: -1 > > /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is absolute: Unknown > error: -1 > > /usr/local/jails/basejail/bin/datecpio: bin/date: Path is absolute: > Unknown error: -1 > > /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is absolute: Unknown > error: -1 > > /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is absolute: Unknown > error: -1 > > /usr/local/jails/basejail/bin/domainnamecpio: bin/domainname: Path is > absolute: Unknown error: -1 > > [ .. etc. .. ] > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"