[please retain any CCs when replying; I am not subscribed to the list] Dear cpio maintainers,
(I am not the Maintainer of cpio in Debian so was not alerted to the issue until recently, but was asked to look into this.) The following bug was filed in Debian: https://bugs.debian.org/946267 … which reports a recent regression in cpio whereby --no-absolute- filenames breaks the extraction of symlinks starting with /. The reporter of the issue suggests that: > This regression is because the upstream fix for CVE-2015-1197 > mangles the symlinks in this way: > > https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=45b0ee2b407913c533f7ded8d6f8cbeec16ff6ca The reporter, Raphael, correctly points out that the "original SuSE patch" that Debian had used prior to an upstream-included fix for this CVE had a different behaviour in that "it would not change the symlinks but it would refuse to extract over a symlink." However, I'm not quite sure about what the fix should actually be here as reverting the upstream fix for CVE-2015-1197 and reapplying the SuSE patch doesn't feel right at all, hence reaching out to you for advice. I hope you can help. Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-
