[Touch-packages] [Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

2019-03-06 Thread Launchpad Bug Tracker
This bug was fixed in the package busybox - 1:1.27.2-2ubuntu3.1

---
busybox (1:1.27.2-2ubuntu3.1) bionic; urgency=medium

  * Fix symlink handling (LP: #1753572)
- debian/patches/CVE-2011-5325-2.patch: re-enable patch.
- debian/patches/CVE-2011-5325-3.patch:postpone creation of symlinks
  with "suspicious" targets in archival/libarchive/data_extract_all.c,
  archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
  include/bb_archive.h, testsuite/tar.tests.
- debian/patches/CVE-2011-5325-4.patch: extract "unsafe" symlinks
  the same way tar/unzip does in archival/cpio.c.
- debian/patches/CVE-2011-5325-5.patch: fix symlink creation in
  archival/libarchive/get_header_ar.c.

 -- Marc Deslauriers   Thu, 17 Jan 2019
13:16:38 -0500

** Changed in: busybox (Ubuntu Bionic)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Fix Released
Status in debirf package in Ubuntu:
  Confirmed
Status in busybox source package in Bionic:
  Fix Released
Status in debirf source package in Bionic:
  Confirmed
Status in busybox source package in Cosmic:
  Fix Released
Status in debirf source package in Cosmic:
  Confirmed

Bug description:
  Description:Ubuntu Bionic Beaver (development branch)
  Release:18.04

  busybox:
Installed: 1:1.27.2-2ubuntu3
Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

2019-02-18 Thread Marc Deslauriers
Thanks!

** Tags removed: verification-needed verification-needed-bionic
** Tags added: verification-done verification-done-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Fix Released
Status in debirf package in Ubuntu:
  Confirmed
Status in busybox source package in Bionic:
  Fix Committed
Status in debirf source package in Bionic:
  Confirmed
Status in busybox source package in Cosmic:
  Fix Released
Status in debirf source package in Cosmic:
  Confirmed

Bug description:
  Description:Ubuntu Bionic Beaver (development branch)
  Release:18.04

  busybox:
Installed: 1:1.27.2-2ubuntu3
Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

2019-02-18 Thread Bryan Seitz
Yes, 1.27.2-2ubuntu3.1 looks to fix the issue with 1.27.2-2ubuntu3!

Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Fix Released
Status in debirf package in Ubuntu:
  Confirmed
Status in busybox source package in Bionic:
  Fix Committed
Status in debirf source package in Bionic:
  Confirmed
Status in busybox source package in Cosmic:
  Fix Released
Status in debirf source package in Cosmic:
  Confirmed

Bug description:
  Description:Ubuntu Bionic Beaver (development branch)
  Release:18.04

  busybox:
Installed: 1:1.27.2-2ubuntu3
Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

2019-02-18 Thread Marc Deslauriers
Hi Bryan,

Could you please test the package that is now in bionic-proposed, and
post your results here?

Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Fix Released
Status in debirf package in Ubuntu:
  Confirmed
Status in busybox source package in Bionic:
  Fix Committed
Status in debirf source package in Bionic:
  Confirmed
Status in busybox source package in Cosmic:
  Fix Released
Status in debirf source package in Cosmic:
  Confirmed

Bug description:
  Description:Ubuntu Bionic Beaver (development branch)
  Release:18.04

  busybox:
Installed: 1:1.27.2-2ubuntu3
Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

2019-02-08 Thread Steve Langasek
Hello Bryan, or anyone else affected,

Accepted busybox into bionic-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/busybox/1:1.27.2-2ubuntu3.1 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-bionic to verification-done-bionic. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-bionic. In either case, without details of
your testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: busybox (Ubuntu Bionic)
   Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Fix Released
Status in debirf package in Ubuntu:
  Confirmed
Status in busybox source package in Bionic:
  Fix Committed
Status in debirf source package in Bionic:
  Confirmed
Status in busybox source package in Cosmic:
  Fix Released
Status in debirf source package in Cosmic:
  Confirmed

Bug description:
  Description:Ubuntu Bionic Beaver (development branch)
  Release:18.04

  busybox:
Installed: 1:1.27.2-2ubuntu3
Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

2019-02-01 Thread Bryan Seitz
I have the image, how can I get it to you privately to test? (Or
alternatively, I can test it with the new version if you have a link?)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Fix Released
Status in debirf package in Ubuntu:
  Confirmed
Status in busybox source package in Bionic:
  In Progress
Status in debirf source package in Bionic:
  Confirmed
Status in busybox source package in Cosmic:
  Fix Released
Status in debirf source package in Cosmic:
  Confirmed

Bug description:
  Description:Ubuntu Bionic Beaver (development branch)
  Release:18.04

  busybox:
Installed: 1:1.27.2-2ubuntu3
Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

2019-01-30 Thread Bryan Seitz
Creating image now.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Fix Released
Status in debirf package in Ubuntu:
  Confirmed
Status in busybox source package in Bionic:
  In Progress
Status in debirf source package in Bionic:
  Confirmed
Status in busybox source package in Cosmic:
  Fix Released
Status in debirf source package in Cosmic:
  Confirmed

Bug description:
  Description:Ubuntu Bionic Beaver (development branch)
  Release:18.04

  busybox:
Installed: 1:1.27.2-2ubuntu3
Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

2019-01-24 Thread Bryan Seitz
Yeah apologies, I have to allocate another U18 host and build one.  Will
aim for tomorrow.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Fix Released
Status in debirf package in Ubuntu:
  Confirmed
Status in busybox source package in Bionic:
  In Progress
Status in debirf source package in Bionic:
  Confirmed
Status in busybox source package in Cosmic:
  Fix Released
Status in debirf source package in Cosmic:
  Confirmed

Bug description:
  Description:Ubuntu Bionic Beaver (development branch)
  Release:18.04

  busybox:
Installed: 1:1.27.2-2ubuntu3
Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

2019-01-24 Thread Brian Murray
Bryan - is there any chance we could get that image?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Fix Released
Status in debirf package in Ubuntu:
  Confirmed
Status in busybox source package in Bionic:
  In Progress
Status in debirf source package in Bionic:
  Confirmed
Status in busybox source package in Cosmic:
  Fix Released
Status in debirf source package in Cosmic:
  Confirmed

Bug description:
  Description:Ubuntu Bionic Beaver (development branch)
  Release:18.04

  busybox:
Installed: 1:1.27.2-2ubuntu3
Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

2019-01-17 Thread Bryan Seitz
I was using it to build a U18 debirf image when I saw this issue.  I can
generate one in a bit for you.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Fix Released
Status in debirf package in Ubuntu:
  Confirmed
Status in busybox source package in Bionic:
  In Progress
Status in debirf source package in Bionic:
  Confirmed
Status in busybox source package in Cosmic:
  Fix Released
Status in debirf source package in Cosmic:
  Confirmed

Bug description:
  Description:Ubuntu Bionic Beaver (development branch)
  Release:18.04

  busybox:
Installed: 1:1.27.2-2ubuntu3
Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

2019-01-17 Thread Marc Deslauriers
I just uploaded this for bionic to be processed by the SRU team.

Bryan, do you have an example archive that can be used to test this?
Thanks!

** Changed in: busybox (Ubuntu Bionic)
   Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Fix Released
Status in debirf package in Ubuntu:
  Confirmed
Status in busybox source package in Bionic:
  In Progress
Status in debirf source package in Bionic:
  Confirmed
Status in busybox source package in Cosmic:
  Fix Released
Status in debirf source package in Cosmic:
  Confirmed

Bug description:
  Description:Ubuntu Bionic Beaver (development branch)
  Release:18.04

  busybox:
Installed: 1:1.27.2-2ubuntu3
Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

2018-11-28 Thread Launchpad Bug Tracker
Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: debirf (Ubuntu Bionic)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Fix Released
Status in debirf package in Ubuntu:
  Confirmed
Status in busybox source package in Bionic:
  Confirmed
Status in debirf source package in Bionic:
  Confirmed
Status in busybox source package in Cosmic:
  Fix Released
Status in debirf source package in Cosmic:
  Confirmed

Bug description:
  Description:Ubuntu Bionic Beaver (development branch)
  Release:18.04

  busybox:
Installed: 1:1.27.2-2ubuntu3
Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

2018-07-13 Thread Launchpad Bug Tracker
This bug was fixed in the package busybox - 1:1.27.2-2ubuntu4

---
busybox (1:1.27.2-2ubuntu4) cosmic; urgency=medium

  * Fix symlink handling (LP: #1753572)
- debian/patches/CVE-2011-5325-2.patch: re-enable patch.
- debian/patches/CVE-2011-5325-3.patch:postpone creation of symlinks
  with "suspicious" targets in archival/libarchive/data_extract_all.c,
  archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
  include/bb_archive.h, testsuite/tar.tests.
- debian/patches/CVE-2011-5325-4.patch: extract "unsafe" symlinks
  the same way tar/unzip does in archival/cpio.c.
- debian/patches/CVE-2011-5325-5.patch: fix symlink creation in
  archival/libarchive/get_header_ar.c.

 -- Marc Deslauriers   Mon, 09 Jul 2018
10:25:24 -0400

** Changed in: busybox (Ubuntu Cosmic)
   Status: Confirmed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-5325

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Fix Released
Status in debirf package in Ubuntu:
  Confirmed
Status in busybox source package in Bionic:
  Confirmed
Status in debirf source package in Bionic:
  New
Status in busybox source package in Cosmic:
  Fix Released
Status in debirf source package in Cosmic:
  Confirmed

Bug description:
  Description:Ubuntu Bionic Beaver (development branch)
  Release:18.04

  busybox:
Installed: 1:1.27.2-2ubuntu3
Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

2018-07-06 Thread Bryan Seitz
This does look good now, thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Confirmed
Status in debirf package in Ubuntu:
  Confirmed
Status in busybox source package in Bionic:
  Confirmed
Status in debirf source package in Bionic:
  New
Status in busybox source package in Cosmic:
  Confirmed
Status in debirf source package in Cosmic:
  Confirmed

Bug description:
  Description:Ubuntu Bionic Beaver (development branch)
  Release:18.04

  busybox:
Installed: 1:1.27.2-2ubuntu3
Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

2018-07-03 Thread Marc Deslauriers
Hello?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Confirmed
Status in debirf package in Ubuntu:
  Confirmed
Status in busybox source package in Bionic:
  Confirmed
Status in debirf source package in Bionic:
  New
Status in busybox source package in Cosmic:
  Confirmed
Status in debirf source package in Cosmic:
  Confirmed

Bug description:
  Description:Ubuntu Bionic Beaver (development branch)
  Release:18.04

  busybox:
Installed: 1:1.27.2-2ubuntu3
Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

2018-06-22 Thread Marc Deslauriers
Hi! I've prepared a busybox update and uploaded it to my PPA here:

https://launchpad.net/~mdeslaur/+archive/ubuntu/testing

Could you please see if it resolves your issue? If so, I'll upload it to
cosmic and SRU it to bionic.

Thanks!

** Also affects: busybox (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: debirf (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: busybox (Ubuntu Cosmic)
   Importance: Undecided
   Status: Confirmed

** Also affects: debirf (Ubuntu Cosmic)
   Importance: Undecided
   Status: Confirmed

** Changed in: busybox (Ubuntu Bionic)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Confirmed
Status in debirf package in Ubuntu:
  Confirmed
Status in busybox source package in Bionic:
  Confirmed
Status in debirf source package in Bionic:
  New
Status in busybox source package in Cosmic:
  Confirmed
Status in debirf source package in Cosmic:
  Confirmed

Bug description:
  Description:Ubuntu Bionic Beaver (development branch)
  Release:18.04

  busybox:
Installed: 1:1.27.2-2ubuntu3
Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

2018-06-13 Thread Marc Deslauriers
The EXTRACT_UNSAFE_SYMLINKS variable was backed out in busybox 1.28.2 by
the following commit:

https://git.busybox.net/busybox/commit/?h=1_28_stable=37277a23fe48b13313f5d96084d890ed21d5fd8b

Two new commits were added to later 1.28 releases to fix more symlink
issues:

https://git.busybox.net/busybox/commit/?id=d9503224c8a93a30b0c8627084b2744d3ee6f403
https://git.busybox.net/busybox/commit/?id=dd56921e2d404c8fc9484290a36411a13d14df1a

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Confirmed
Status in debirf package in Ubuntu:
  Confirmed

Bug description:
  Description:Ubuntu Bionic Beaver (development branch)
  Release:18.04

  busybox:
Installed: 1:1.27.2-2ubuntu3
Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

2018-03-05 Thread Launchpad Bug Tracker
Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: debirf (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Confirmed
Status in debirf package in Ubuntu:
  Confirmed

Bug description:
  Description:Ubuntu Bionic Beaver (development branch)
  Release:18.04

  busybox:
Installed: 1:1.27.2-2ubuntu3
Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

2018-03-05 Thread Launchpad Bug Tracker
Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: debirf (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Confirmed
Status in debirf package in Ubuntu:
  Confirmed

Bug description:
  Description:Ubuntu Bionic Beaver (development branch)
  Release:18.04

  busybox:
Installed: 1:1.27.2-2ubuntu3
Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

2018-03-05 Thread Bryan Seitz
** Project changed: busybox => debirf (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Confirmed
Status in debirf package in Ubuntu:
  Confirmed

Bug description:
  Description:Ubuntu Bionic Beaver (development branch)
  Release:18.04

  busybox:
Installed: 1:1.27.2-2ubuntu3
Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

2018-03-05 Thread Bryan Seitz
** Also affects: busybox
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Confirmed
Status in debirf package in Ubuntu:
  Confirmed

Bug description:
  Description:Ubuntu Bionic Beaver (development branch)
  Release:18.04

  busybox:
Installed: 1:1.27.2-2ubuntu3
Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

2018-03-05 Thread Bryan Seitz
Proposed solution: back port the env var patch or upgrade to 1.28.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Confirmed

Bug description:
  Description:Ubuntu Bionic Beaver (development branch)
  Release:18.04

  busybox:
Installed: 1:1.27.2-2ubuntu3
Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1753572] Re: cpio in Busybox 1.27 ingnores "unsafe links"

2018-03-05 Thread Launchpad Bug Tracker
Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: busybox (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1753572

Title:
  cpio in Busybox 1.27 ingnores "unsafe links"

Status in busybox package in Ubuntu:
  Confirmed

Bug description:
  Description:Ubuntu Bionic Beaver (development branch)
  Release:18.04

  busybox:
Installed: 1:1.27.2-2ubuntu3
Candidate: 1:1.27.2-2ubuntu3

  3) Expected my CPIO archive to be fully extracted with proper symlinks
  Command: unxz < /rootfs.cxz | cpio -i

  4) 'Unsafe' symlinks were ignored such as:

  sbin/init -> /lib/systemd/systemd

  With the broken 1.27 sbin/init does not get created at all and my
  debirf initrd fails to load/boot properly.

  1.22 from Xenial works.
  GNU Cpio also works.

  It looks like 1.28 adds an env var to override this behavior:

  libarchive: do not extract unsafe symlinks unless
  $EXTRACT_UNSAFE_SYMLINKS=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp