The EXTRACT_UNSAFE_SYMLINKS variable was backed out in busybox 1.28.2 by the following commit:
https://git.busybox.net/busybox/commit/?h=1_28_stable&id=37277a23fe48b13313f5d96084d890ed21d5fd8b Two new commits were added to later 1.28 releases to fix more symlink issues: https://git.busybox.net/busybox/commit/?id=d9503224c8a93a30b0c8627084b2744d3ee6f403 https://git.busybox.net/busybox/commit/?id=dd56921e2d404c8fc9484290a36411a13d14df1a -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to busybox in Ubuntu. https://bugs.launchpad.net/bugs/1753572 Title: cpio in Busybox 1.27 ingnores "unsafe links" Status in busybox package in Ubuntu: Confirmed Status in debirf package in Ubuntu: Confirmed Bug description: Description: Ubuntu Bionic Beaver (development branch) Release: 18.04 busybox: Installed: 1:1.27.2-2ubuntu3 Candidate: 1:1.27.2-2ubuntu3 3) Expected my CPIO archive to be fully extracted with proper symlinks Command: unxz < /rootfs.cxz | cpio -i 4) 'Unsafe' symlinks were ignored such as: sbin/init -> /lib/systemd/systemd With the broken 1.27 sbin/init does not get created at all and my debirf initrd fails to load/boot properly. 1.22 from Xenial works. GNU Cpio also works. It looks like 1.28 adds an env var to override this behavior: libarchive: do not extract unsafe symlinks unless $EXTRACT_UNSAFE_SYMLINKS=1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
