cpio in Busybox 1.27 ingnores "unsafe links"

Status changed to 'Confirmed' because the bug affects multiple users.

Proposed solution: back port the env var patch or upgrade to 1.28.

Status changed to 'Confirmed' because the bug affects multiple users.

The EXTRACT_UNSAFE_SYMLINKS variable was backed out in busybox 1.28.2 by the following commit:

https://git.busybox.net/busybox/commit/?h=1_28_stable&id=37277a23fe48b13313f5d96084d890ed21d5fd8b

Two new commits were added to later 1.28 releases to fix more symlink issues:

https://git.busybox.net/busybox/commit/?id=d9503224c8a93a30b0c8627084b2744d3ee6f403
https://git.busybox.net/busybox/commit/?id=dd56921e2d404c8fc9484290a36411a13d14df1a

Hi! I've prepared a busybox update and uploaded it to my PPA here:

https://launchpad.net/~mdeslaur/+archive/ubuntu/testing

Could you please see if it resolves your issue? If so, I'll upload it to cosmic and SRU it to bionic.

Thanks!

Hello?

This does look good now, thanks!

This bug was fixed in the package busybox - 1:1.27.2-2ubuntu4

---------------
busybox (1:1.27.2-2ubuntu4) cosmic; urgency=medium

  * Fix symlink handling (LP: #1753572)
    - debian/patches/CVE-2011-5325-2.patch: re-enable patch.
    - debian/patches/CVE-2011-5325-3.patch:postpone creation of symlinks
      with "suspicious" targets in archival/libarchive/data_extract_all.c,
      archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
      include/bb_archive.h, testsuite/tar.tests.
    - debian/patches/CVE-2011-5325-4.patch: extract "unsafe" symlinks
      the same way tar/unzip does in archival/cpio.c.
    - debian/patches/CVE-2011-5325-5.patch: fix symlink creation in
      archival/libarchive/get_header_ar.c.

 -- Marc Deslauriers <email address hidden> Mon, 09 Jul 2018 10:25:24 -0400

Status changed to 'Confirmed' because the bug affects multiple users.

I just uploaded this for bionic to be processed by the SRU team.

Bryan, do you have an example archive that can be used to test this? Thanks!

I was using it to build a U18 debirf image when I saw this issue. I can generate one in a bit for you.

Bryan - is there any chance we could get that image?

Yeah apologies, I have to allocate another U18 host and build one. Will aim for tomorrow.

Creating image now.

I have the image, how can I get it to you privately to test? (Or alternatively, I can test it with the new version if you have a link?)

Hello Bryan, or anyone else affected,

Accepted busybox into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/busybox/1:1.27.2-2ubuntu3.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hi Bryan,

Could you please test the package that is now in bionic-proposed, and post your results here?

Thanks!

Yes, 1.27.2-2ubuntu3.1 looks to fix the issue with 1.27.2-2ubuntu3!

Thanks!

Thanks!

This bug was fixed in the package busybox - 1:1.27.2-2ubuntu3.1

---------------
busybox (1:1.27.2-2ubuntu3.1) bionic; urgency=medium

  * Fix symlink handling (LP: #1753572)
    - debian/patches/CVE-2011-5325-2.patch: re-enable patch.
    - debian/patches/CVE-2011-5325-3.patch:postpone creation of symlinks
      with "suspicious" targets in archival/libarchive/data_extract_all.c,
      archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
      include/bb_archive.h, testsuite/tar.tests.
    - debian/patches/CVE-2011-5325-4.patch: extract "unsafe" symlinks
      the same way tar/unzip does in archival/cpio.c.
    - debian/patches/CVE-2011-5325-5.patch: fix symlink creation in
      archival/libarchive/get_header_ar.c.

 -- Marc Deslauriers <email address hidden> Thu, 17 Jan 2019 13:16:38 -0500

The verification of the Stable Release Update for busybox has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.