Date: Sat, 14 May 2016 12:55:23 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 207965] [nanobsd] regression during disk image build after CVE-2015-2304 fix/libarchive 3.2.0 update Message-ID: <bug-207965-8-ULoSvbGqu3@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-207965-8@https.bugs.freebsd.org/bugzilla/> References: <bug-207965-8@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207965 --- Comment #3 from Jason Unovitch <junovitch@freebsd.org> --- Turns out we relied on absolute path extraction in multiple places as it br= oke ports as well after the 3.2.0 update [1] and the commit was reverted shortly after [2]. [1] https://svnweb.freebsd.org/base?view=3Drevision&revision=3D299529 [2] https://svnweb.freebsd.org/base?view=3Drevision&revision=3D299576 As per the new cpio(1) manual, --insecure is needed for: "This allows extraction via symbolic links, absolute paths, and path names containing .. in the name." On r299575 before the revert, the image builds are broken with the "Path is absolute" failure before applying this change and fixed afterwards. There = is also no change to building a good image by using --insecure on r299278 befo= re the update. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-207965-8-ULoSvbGqu3>