Package: cpio Version: 2.13+dfsg-1 Severity: serious User: de...@kali.org Usertags: origin-kali Control: affects -1 live-build
live-build is able to repack the installer initrd to add custom files. We use that feature in Kali and since last week, when cpio 2.13+dfsg-1 reached testing (and thus our ISO build chroots), our installer images are badly broken and we get errors like “/usr/share/debconf/frontend: not found” or “expr: not found”. After a diffoscope run to compare the original and repacked initrd I saw things like this: │ │ ├── etc/mtab │ │ │┄ symlink │ │ │ @@ -1 +1 @@ │ │ │ -destination: /proc/mounts │ │ │ +destination: proc/mounts │ │ ├── usr/bin/expr │ │ │┄ symlink │ │ │ @@ -1 +1 @@ │ │ │ -destination: /bin/busybox │ │ │ +destination: bin/busybox │ │ ├── usr/share/debconf/frontend │ │ │┄ symlink │ │ │ @@ -1 +1 @@ │ │ │ -destination: ../../lib/cdebconf/debconf │ │ │ +destination: lib/cdebconf/debconf So the target of the symlinks have been modified. live-build uses cpio in the following way to unpack the initrd and repack it: # mkdir temp # cd temp # cpio -i --make-directories --no-absolute-filenames </somewhere/initrd # ... (some changes) # find -print0 | cpio -H newc -o0 >/somewhere/initrd-repacked (see https://salsa.debian.org/live-team/live-build/blob/master/scripts/build/installer_debian-installer#L743 for actual code) So it uses "--no-absolute-filenames" just to ensure that the files are extracted in the current directory and to not extract them in the root directory (in case the archive contains absolute filenames), but it really doesn't want cpio to change the contents of the symlinks that it extracts! I looked in the manual page and could not find any option that would result in the desired behavior. As this is is breaking live-build, I'm putting this as a serious bug for now. This regression is because the upstream fix for CVE-2015-1197 mangles the symlinks in this way: https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=45b0ee2b407913c533f7ded8d6f8cbeec16ff6ca The original SuSE patch that we used was smarter, it would not change the symlinks but it would refuse to extract over a symlink: https://bugzilla.suse.com/attachment.cgi?id=599460&action=diff FYI I'm putting the author of the above commit in copy so that he can chime in and be aware of this regression. Cheers, -- System Information: Debian Release: bullseye/sid APT prefers oldoldstable APT policy: (500, 'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages cpio depends on: ii libc6 2.29-3 cpio recommends no packages. Versions of packages cpio suggests: pn libarchive1 <none> -- no debconf information
