Date: Sat, 14 May 2016 17:37:08 -0600 From: Ian Lepore <ian@freebsd.org> To: Martin Matuska <mm@FreeBSD.org>, michael butler <imb@protected-networks.net>, Tim Kientzle <tim@kientzle.com> Cc: FreeBSD current <freebsd-current@freebsd.org> Subject: Re: libarchive update SVN r299529 breaks "ezjail update" Message-ID: <1463269028.1180.146.camel@freebsd.org> In-Reply-To: <e09d36c9-4398-8932-09ec-57c6d4024073@FreeBSD.org> References: <2c059cf5-2c8a-3b89-16c3-eedf02a01ec5@protected-networks.net> <20160512173440.Horde.5l1s9ijXRgAeMNgmT0MmCPa@mail.vx.sk> <20160512175418.Horde.JvYoOSRwfU_l2TIXv697u2B@mail.vx.sk> <E9B21A7F-AD3A-4182-AACC-3B92BBEF1216@kientzle.com> <13C1C575-4AEA-463F-A6BE-92843DAD7B53@kientzle.com> <7838d5e7-5d81-37f5-53dd-efdd0e855ea6@protected-networks.net> <1463256489.1180.139.camel@freebsd.org> <e09d36c9-4398-8932-09ec-57c6d4024073@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 2016-05-15 at 01:29 +0200, Martin Matuska wrote: > Ian, we are here talking about cpio, not libarchive. The flag in > libarchive is not active by default. > Yes. We use cpio for filesystem images, for historical reasons (such as cpio's ability to encode device major/minor node numbers and other stuff that doesn't really matter anymore, but the format is kinda cast in stone now). -- Ian > > On 14.05.2016 22:08, Ian Lepore wrote: > > On Sat, 2016-05-14 at 15:51 -0400, michael butler wrote: > > > From the looks of this, I think it's likely better to have the > > > default > > > be "secure" and ezjail-admin use the "--insecure" flag as an > > > explicit > > > override. That's the only place I've noticed the need for it > > > although > > > I've not done an extensive search for any other instances in > > > which it > > > might be required, > > > > > > imb > > > > > The real damage will happen to out-of-tree users. I think this > > will > > impact our software updater for $work for example, and it has to > > work > > with both old and new versions of libarchive, and now the new > > version > > will require a flag that the old version will reject as unknown. > > > > Ick. > > > > -- Ian > > > > > On 5/14/2016 3:46 PM, Tim Kientzle wrote: > > > > A little history about this issue: > > > > > > > > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304 > > > > > > > > > > > > > On May 14, 2016, at 12:17 PM, Tim Kientzle <tim@kientzle.com> > > > > > wrote: > > > > > > > > > > Many people consider the traditional behavior to be a > > > > > security > > > > > risk, which is why this was changed. > > > > > > > > > > FreeBSD is welcome to make --insecure the default on FreeBSD, > > > > > but > > > > > I'm reluctant to do that in the upstream libarchive project. > > > > > > > > > > Tim > > > > > > > > > > > > > > > > On May 12, 2016, at 8:54 AM, Martin Matuska <mm@freebsd.org > > > > > > > > > > > > > wrote: > > > > > > > > > > > > Looks like we have to remove line #174 from cpio/cpio.c: > > > > > > cpio->extract_flags |= > > > > > > ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS; > > > > > > > > > > > > This breaks traditional cpio behavior. > > > > > > > > > > > > Quoting Martin Matuska <mm@freebsd.org>: > > > > > > > > > > > > > Hi Michael, I have looked at the source and this is an > > > > > > > intended change in 3.2.0. > > > > > > > > > > > > > > An absolute path security check was added, cpio refuses > > > > > > > to > > > > > > > extract or copy over absolute paths. To do this anyway > > > > > > > the "- > > > > > > > -insecure" flag must be used. > > > > > > > > > > > > > > Here is the commit: > > > > > > > https://github.com/libarchive/libarchive/commit/593571577 > > > > > > > 06d4 > > > > > > > 7c365b2227739e17daba3607526 > > > > > > > > > > > > > > Quoting Michael Butler <imb@protected-networks.net>: > > > > > > > > > > > > > > > It seems that today's libarchive update breaks cpio's > > > > > > > > behaviour: > > > > > > > > > > > > > > > > sudo ezjail-admin update -i -s /usr/src > > > > > > > > > > > > > > > > [ .. ] > > > > > > > > > > > > > > > > cd /usr/src/etc/..; install -o root -g wheel -m 444 > > > > > > > > COPYRIGHT > > > > > > > > /usr/local/jails/fulljail/ > > > > > > > > install -o root -g wheel -m 444 > > > > > > > > /usr/src/etc/../sys/i386/conf/GENERIC.hints > > > > > > > > /usr/local/jails/fulljail/boot/device.hints > > > > > > > > /usr/local/jails/basejail/bincpio: bin: Path is > > > > > > > > absolute: > > > > > > > > Unknown error: -1 > > > > > > > > > > > > > > > > /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is > > > > > > > > absolute: > > > > > > > > Unknown error: -1 > > > > > > > > > > > > > > > > /usr/local/jails/basejail/bin/chflagscpio: bin/chflags: > > > > > > > > Path is > > > > > > > > absolute: Unknown error: -1 > > > > > > > > > > > > > > > > /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path > > > > > > > > is > > > > > > > > absolute: > > > > > > > > Unknown error: -1 > > > > > > > > > > > > > > > > /usr/local/jails/basejail/bin/chmodcpio: bin/chmod: > > > > > > > > Path is > > > > > > > > absolute: > > > > > > > > Unknown error: -1 > > > > > > > > > > > > > > > > /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is > > > > > > > > absolute: Unknown > > > > > > > > error: -1 > > > > > > > > > > > > > > > > /usr/local/jails/basejail/bin/datecpio: bin/date: Path > > > > > > > > is > > > > > > > > absolute: > > > > > > > > Unknown error: -1 > > > > > > > > > > > > > > > > /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is > > > > > > > > absolute: Unknown > > > > > > > > error: -1 > > > > > > > > > > > > > > > > /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is > > > > > > > > absolute: Unknown > > > > > > > > error: -1 > > > > > > > > > > > > > > > > /usr/local/jails/basejail/bin/domainnamecpio: > > > > > > > > bin/domainname: Path is > > > > > > > > absolute: Unknown error: -1 > > > > > > > > [ .. etc. .. ] > > > > > > > > > > > > > > > > > > > > > Martin Matuska > > > > > > > FreeBSD committer > > > > > > > http://blog.vx.sk > > > > > > > > > > > > > > > > > > Martin Matuska > > > > > > FreeBSD committer > > > > > > http://blog.vx.sk > > > _______________________________________________ > > > freebsd-current@freebsd.org mailing list > > > https://lists.freebsd.org/mailman/listinfo/freebsd-current > > > To unsubscribe, send any mail to " > > > freebsd-current-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to " > freebsd-current-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1463269028.1180.146.camel>