Date: Sat, 14 May 2016 14:08:09 -0600 From: Ian Lepore <ian@freebsd.org> To: michael butler <imb@protected-networks.net>, Tim Kientzle <tim@kientzle.com>, Martin Matuska <mm@freebsd.org> Cc: FreeBSD current <freebsd-current@freebsd.org> Subject: Re: libarchive update SVN r299529 breaks "ezjail update" Message-ID: <1463256489.1180.139.camel@freebsd.org> In-Reply-To: <7838d5e7-5d81-37f5-53dd-efdd0e855ea6@protected-networks.net> References: <2c059cf5-2c8a-3b89-16c3-eedf02a01ec5@protected-networks.net> <20160512173440.Horde.5l1s9ijXRgAeMNgmT0MmCPa@mail.vx.sk> <20160512175418.Horde.JvYoOSRwfU_l2TIXv697u2B@mail.vx.sk> <E9B21A7F-AD3A-4182-AACC-3B92BBEF1216@kientzle.com> <13C1C575-4AEA-463F-A6BE-92843DAD7B53@kientzle.com> <7838d5e7-5d81-37f5-53dd-efdd0e855ea6@protected-networks.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 2016-05-14 at 15:51 -0400, michael butler wrote: > From the looks of this, I think it's likely better to have the > default > be "secure" and ezjail-admin use the "--insecure" flag as an explicit > override. That's the only place I've noticed the need for it although > I've not done an extensive search for any other instances in which it > might be required, > > imb > The real damage will happen to out-of-tree users. I think this will impact our software updater for $work for example, and it has to work with both old and new versions of libarchive, and now the new version will require a flag that the old version will reject as unknown. Ick. -- Ian > On 5/14/2016 3:46 PM, Tim Kientzle wrote: > > A little history about this issue: > > > > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304 > > > > > > > On May 14, 2016, at 12:17 PM, Tim Kientzle <tim@kientzle.com> > > > wrote: > > > > > > Many people consider the traditional behavior to be a security > > > risk, which is why this was changed. > > > > > > FreeBSD is welcome to make --insecure the default on FreeBSD, but > > > I'm reluctant to do that in the upstream libarchive project. > > > > > > Tim > > > > > > > > > > On May 12, 2016, at 8:54 AM, Martin Matuska <mm@freebsd.org> > > > > wrote: > > > > > > > > Looks like we have to remove line #174 from cpio/cpio.c: > > > > cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS; > > > > > > > > This breaks traditional cpio behavior. > > > > > > > > Quoting Martin Matuska <mm@freebsd.org>: > > > > > > > > > Hi Michael, I have looked at the source and this is an > > > > > intended change in 3.2.0. > > > > > > > > > > An absolute path security check was added, cpio refuses to > > > > > extract or copy over absolute paths. To do this anyway the "- > > > > > -insecure" flag must be used. > > > > > > > > > > Here is the commit: > > > > > https://github.com/libarchive/libarchive/commit/59357157706d4 > > > > > 7c365b2227739e17daba3607526 > > > > > > > > > > Quoting Michael Butler <imb@protected-networks.net>: > > > > > > > > > > > It seems that today's libarchive update breaks cpio's > > > > > > behaviour: > > > > > > > > > > > > sudo ezjail-admin update -i -s /usr/src > > > > > > > > > > > > [ .. ] > > > > > > > > > > > > cd /usr/src/etc/..; install -o root -g wheel -m 444 > > > > > > COPYRIGHT > > > > > > /usr/local/jails/fulljail/ > > > > > > install -o root -g wheel -m 444 > > > > > > /usr/src/etc/../sys/i386/conf/GENERIC.hints > > > > > > /usr/local/jails/fulljail/boot/device.hints > > > > > > /usr/local/jails/basejail/bincpio: bin: Path is absolute: > > > > > > Unknown error: -1 > > > > > > > > > > > > /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is > > > > > > absolute: > > > > > > Unknown error: -1 > > > > > > > > > > > > /usr/local/jails/basejail/bin/chflagscpio: bin/chflags: > > > > > > Path is > > > > > > absolute: Unknown error: -1 > > > > > > > > > > > > /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is > > > > > > absolute: > > > > > > Unknown error: -1 > > > > > > > > > > > > /usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is > > > > > > absolute: > > > > > > Unknown error: -1 > > > > > > > > > > > > /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is > > > > > > absolute: Unknown > > > > > > error: -1 > > > > > > > > > > > > /usr/local/jails/basejail/bin/datecpio: bin/date: Path is > > > > > > absolute: > > > > > > Unknown error: -1 > > > > > > > > > > > > /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is > > > > > > absolute: Unknown > > > > > > error: -1 > > > > > > > > > > > > /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is > > > > > > absolute: Unknown > > > > > > error: -1 > > > > > > > > > > > > /usr/local/jails/basejail/bin/domainnamecpio: > > > > > > bin/domainname: Path is > > > > > > absolute: Unknown error: -1 > > > > > > [ .. etc. .. ] > > > > > > > > > > > > > > > > > > > > Martin Matuska > > > > > FreeBSD committer > > > > > http://blog.vx.sk > > > > > > > > > > > > > > > > Martin Matuska > > > > FreeBSD committer > > > > http://blog.vx.sk > > > > > > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to " > freebsd-current-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1463256489.1180.139.camel>