This bug was fixed in the package busybox - 1:1.27.2-2ubuntu4
---------------
busybox (1:1.27.2-2ubuntu4) cosmic; urgency=medium
* Fix symlink handling (LP: #1753572)
- debian/patches/CVE-2011-5325-2.patch: re-enable patch.
- debian/patches/CVE-2011-5325-3.patch:postpone creation of symlinks
with "suspicious" targets in archival/libarchive/data_extract_all.c,
archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
include/bb_archive.h, testsuite/tar.tests.
- debian/patches/CVE-2011-5325-4.patch: extract "unsafe" symlinks
the same way tar/unzip does in archival/cpio.c.
- debian/patches/CVE-2011-5325-5.patch: fix symlink creation in
archival/libarchive/get_header_ar.c.
-- Marc Deslauriers <[email protected]> Mon, 09 Jul 2018
10:25:24 -0400
** Changed in: busybox (Ubuntu Cosmic)
Status: Confirmed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-5325
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1753572
Title:
cpio in Busybox 1.27 ingnores "unsafe links"
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1753572/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
