cpio in Busybox 1.27 ingnores "unsafe links"

Bug #1753572 reported by Bryan Seitz
30
This bug affects 5 people
Affects Status Importance Assigned to Milestone
busybox (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Cosmic
Fix Released
Undecided
Unassigned
debirf (Ubuntu)
Confirmed
Undecided
Unassigned
Bionic
Confirmed
Undecided
Unassigned
Cosmic
Confirmed
Undecided
Unassigned

Bug Description

Description: Ubuntu Bionic Beaver (development branch)
Release: 18.04

busybox:
  Installed: 1:1.27.2-2ubuntu3
  Candidate: 1:1.27.2-2ubuntu3

3) Expected my CPIO archive to be fully extracted with proper symlinks
Command: unxz < /rootfs.cxz | cpio -i

4) 'Unsafe' symlinks were ignored such as:

sbin/init -> /lib/systemd/systemd

With the broken 1.27 sbin/init does not get created at all and my debirf initrd fails to load/boot properly.

1.22 from Xenial works.
GNU Cpio also works.

It looks like 1.28 adds an env var to override this behavior:

libarchive: do not extract unsafe symlinks unless $EXTRACT_UNSAFE_SYMLINKS=1

CVE References

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in busybox (Ubuntu):
status: New → Confirmed
Revision history for this message
Bryan Seitz (seitz-a) wrote :

Proposed solution: back port the env var patch or upgrade to 1.28.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in debirf (Ubuntu):
status: New → Confirmed
Bryan Seitz (seitz-a)
affects: busybox → debirf (Ubuntu)
Changed in debirf (Ubuntu):
status: New → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Hi! I've prepared a busybox update and uploaded it to my PPA here:

https://launchpad.net/~mdeslaur/+archive/ubuntu/testing

Could you please see if it resolves your issue? If so, I'll upload it to cosmic and SRU it to bionic.

Thanks!

Changed in busybox (Ubuntu Bionic):
status: New → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Hello?

Revision history for this message
Bryan Seitz (seitz-a) wrote :

This does look good now, thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package busybox - 1:1.27.2-2ubuntu4

---------------
busybox (1:1.27.2-2ubuntu4) cosmic; urgency=medium

  * Fix symlink handling (LP: #1753572)
    - debian/patches/CVE-2011-5325-2.patch: re-enable patch.
    - debian/patches/CVE-2011-5325-3.patch:postpone creation of symlinks
      with "suspicious" targets in archival/libarchive/data_extract_all.c,
      archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
      include/bb_archive.h, testsuite/tar.tests.
    - debian/patches/CVE-2011-5325-4.patch: extract "unsafe" symlinks
      the same way tar/unzip does in archival/cpio.c.
    - debian/patches/CVE-2011-5325-5.patch: fix symlink creation in
      archival/libarchive/get_header_ar.c.

 -- Marc Deslauriers <email address hidden> Mon, 09 Jul 2018 10:25:24 -0400

Changed in busybox (Ubuntu Cosmic):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in debirf (Ubuntu Bionic):
status: New → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I just uploaded this for bionic to be processed by the SRU team.

Bryan, do you have an example archive that can be used to test this? Thanks!

Changed in busybox (Ubuntu Bionic):
status: Confirmed → In Progress
Revision history for this message
Bryan Seitz (seitz-a) wrote :

I was using it to build a U18 debirf image when I saw this issue. I can generate one in a bit for you.

Revision history for this message
Brian Murray (brian-murray) wrote :

Bryan - is there any chance we could get that image?

Revision history for this message
Bryan Seitz (seitz-a) wrote :

Yeah apologies, I have to allocate another U18 host and build one. Will aim for tomorrow.

Revision history for this message
Bryan Seitz (seitz-a) wrote :

Creating image now.

Revision history for this message
Bryan Seitz (seitz-a) wrote :

I have the image, how can I get it to you privately to test? (Or alternatively, I can test it with the new version if you have a link?)

Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Bryan, or anyone else affected,

Accepted busybox into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/busybox/1:1.27.2-2ubuntu3.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in busybox (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Hi Bryan,

Could you please test the package that is now in bionic-proposed, and post your results here?

Thanks!

Revision history for this message
Bryan Seitz (seitz-a) wrote :

Yes, 1.27.2-2ubuntu3.1 looks to fix the issue with 1.27.2-2ubuntu3!

Thanks!

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks!

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package busybox - 1:1.27.2-2ubuntu3.1

---------------
busybox (1:1.27.2-2ubuntu3.1) bionic; urgency=medium

  * Fix symlink handling (LP: #1753572)
    - debian/patches/CVE-2011-5325-2.patch: re-enable patch.
    - debian/patches/CVE-2011-5325-3.patch:postpone creation of symlinks
      with "suspicious" targets in archival/libarchive/data_extract_all.c,
      archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
      include/bb_archive.h, testsuite/tar.tests.
    - debian/patches/CVE-2011-5325-4.patch: extract "unsafe" symlinks
      the same way tar/unzip does in archival/cpio.c.
    - debian/patches/CVE-2011-5325-5.patch: fix symlink creation in
      archival/libarchive/get_header_ar.c.

 -- Marc Deslauriers <email address hidden> Thu, 17 Jan 2019 13:16:38 -0500

Changed in busybox (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Robie Basak (racb) wrote : Update Released

The verification of the Stable Release Update for busybox has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.