Package: abootimg Version: 0.6-1+b2 Severity: normal Tags: patch Dear Maintainer,
If cpio archive contains absolute filenames, files are unpacked relative to host root '/', not 'ramdisk' directory. If abootimg-unpack-initrd is run as root, that could break host system and make it unbootable by overwriting important system files. -- System Information: Debian Release: bullseye/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.4.0-4-rt-amd64 (SMP w/8 CPU cores; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages abootimg depends on: ii libblkid1 2.34-0.1 ii libc6 2.30-4 abootimg recommends no packages. abootimg suggests no packages. -- no debconf information -- debsums errors found: debsums: changed file /usr/bin/abootimg-unpack-initrd (from abootimg package)
>From 3e581732879f8bc3975ac0da99beba3785f6ab98 Mon Sep 17 00:00:00 2001 From: Andrey Skvortsov <andrej.skvort...@gmail.com> Date: Fri, 27 Mar 2020 11:40:21 +0300 Subject: [PATCH] always unpack initrd to relative paths If cpio archive contains absolute filenames, files are unpacked relative to host root '/', not 'ramdisk' directory. If abootimg-unpack-initrd is run as root, that could break host system and make it unbootable by overwriting important system files. Signed-off-by: Andrey Skvortsov <andrej.skvort...@gmail.com> --- abootimg-unpack-initrd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/abootimg-unpack-initrd b/abootimg-unpack-initrd index 987239c..0113f3a 100755 --- a/abootimg-unpack-initrd +++ b/abootimg-unpack-initrd @@ -16,5 +16,5 @@ fi mkdir -p $ramdisk -zcat $initrd | ( cd $ramdisk; cpio -i ) +zcat $initrd | ( cd $ramdisk; cpio -i --no-absolute-filenames) -- 2.26.0
