Bug#946267: marked as done (cpio -i --no-absolute-filenames breaks symlinks starting with / or /..)

[Debian Bug Tracking System]

Your message dated Sat, 01 Feb 2020 13:34:11 +0000
with message-id <e1ixsuz-000b2h...@fasolo.debian.org>
and subject line Bug#946469: fixed in cpio 2.13+dfsg-2
has caused the Debian Bug report #946469,
regarding cpio -i --no-absolute-filenames breaks symlinks starting with / or /..
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
946469: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946469
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: cpio
Version: 2.13+dfsg-1
Severity: serious
User: de...@kali.org
Usertags: origin-kali
Control: affects -1 live-build

live-build is able to repack the installer initrd to add custom files.
We use that feature in Kali and since last week, when cpio 2.13+dfsg-1
reached testing (and thus our ISO build chroots), our installer images are
badly broken and we get errors like “/usr/share/debconf/frontend: not
found” or “expr: not found”.

After a diffoscope run to compare the original and repacked initrd I saw
things like this:

│ │ ├── etc/mtab
│ │ │┄ symlink
│ │ │ @@ -1 +1 @@
│ │ │ -destination: /proc/mounts
│ │ │ +destination: proc/mounts
│ │ ├── usr/bin/expr
│ │ │┄ symlink
│ │ │ @@ -1 +1 @@
│ │ │ -destination: /bin/busybox
│ │ │ +destination: bin/busybox
│ │ ├── usr/share/debconf/frontend
│ │ │┄ symlink
│ │ │ @@ -1 +1 @@
│ │ │ -destination: ../../lib/cdebconf/debconf
│ │ │ +destination: lib/cdebconf/debconf

So the target of the symlinks have been modified. live-build uses
cpio in the following way to unpack the initrd and repack it:

# mkdir temp
# cd temp
# cpio -i --make-directories --no-absolute-filenames </somewhere/initrd
# ... (some changes)
# find -print0 | cpio -H newc -o0 >/somewhere/initrd-repacked

(see
https://salsa.debian.org/live-team/live-build/blob/master/scripts/build/installer_debian-installer#L743
for actual code)

So it uses "--no-absolute-filenames" just to ensure that the files are
extracted in the current directory and to not extract them in the
root directory (in case the archive contains absolute filenames), but it
really doesn't want cpio to change the contents of the symlinks that it
extracts!

I looked in the manual page and could not find any option that would
result in the desired behavior. As this is is breaking live-build, I'm
putting this as a serious bug for now.

This regression is because the upstream fix for CVE-2015-1197 mangles
the symlinks in this way:
https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=45b0ee2b407913c533f7ded8d6f8cbeec16ff6ca

The original SuSE patch that we used was smarter, it would not change the
symlinks but it would refuse to extract over a symlink:
https://bugzilla.suse.com/attachment.cgi?id=599460&action=diff

FYI I'm putting the author of the above commit in copy so that he can
chime in and be aware of this regression.

Cheers,

-- System Information:
Debian Release: bullseye/sid
  APT prefers oldoldstable
  APT policy: (500, 'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 
'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cpio depends on:
ii  libc6  2.29-3

cpio recommends no packages.

Versions of packages cpio suggests:
pn  libarchive1  <none>

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: cpio
Source-Version: 2.13+dfsg-2

We believe that the bug you reported is fixed in the latest version of
cpio, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 946...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <la...@debian.org> (supplier of updated cpio package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 01 Feb 2020 14:11:00 +0100
Source: cpio
Architecture: source
Version: 2.13+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Anibal Monsalve Salazar <ani...@debian.org>
Changed-By: Chris Lamb <la...@debian.org>
Closes: 946267 946469
Changes:
 cpio (2.13+dfsg-2) unstable; urgency=medium
 .
   * Fix a regression in handling of CVE-2015-1197 & --no-absolute-filenames by
     reverting part of an upstream commit. (Closes: #946267, #946469)
   * Add Vcs-Git and Vcs-Browser pointing to my personal Salsa repository (in
     lieu of anything at all).
   * Bump Standards-Version to 4.5.0.
Checksums-Sha1:
 05dbc98edb281f4059643339b242a8ef7bfbf4de 2014 cpio_2.13+dfsg-2.dsc
 1de055ef1c651e391cc933fa8815eed521e32af8 31756 cpio_2.13+dfsg-2.debian.tar.xz
 b2079313c6bde2bef79e2c0d723eb538ab94bbd0 5832 cpio_2.13+dfsg-2_amd64.buildinfo
Checksums-Sha256:
 5bda2717f0ce54f3e1cdfb5f6b5e490277e22266f371dc1119f2eb26144cfaa9 2014 
cpio_2.13+dfsg-2.dsc
 62825e5f5c523e600008f432c41c23040c4e23114e391bc0e24f8be0cb9e0ee6 31756 
cpio_2.13+dfsg-2.debian.tar.xz
 2aea843c0af866dab652dceda565f606aebbcea30983c5454a24de8d8b8eedd4 5832 
cpio_2.13+dfsg-2_amd64.buildinfo
Files:
 6fdf40ba5ef5d739655f0cc68ec9a503 2014 utils important cpio_2.13+dfsg-2.dsc
 a72bec1988fa5e86b08b65d3f6a4b7e3 31756 utils important 
cpio_2.13+dfsg-2.debian.tar.xz
 3a8f07c81d8129ae71ac58d1e64e8888 5832 utils important 
cpio_2.13+dfsg-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl41evAACgkQHpU+J9Qx
HliUYRAAt+bR4Y9h9YV19gvsfo0YOK3oHD7l5getCABVSKmJnG6WWXcRaI/hwMbD
PlLdaVzHr0NppbmwekPMjW/aBOnREmYXyyP9FjBe2CacZZa4fPhecT1D0mVRCIZ9
VOKb1jLoLvBqBEYBb468OuwWjErDkDllZIGe+HtyfALggRqKaKzJCaFoN8eKUNoQ
+ch8aRoPClAtxQiDGnFIcv9PD75PyZsRPpsfO30o41ScVR6hwHH46McW5XDkvhDE
uZmKhgnCSNrTXWn/fRxvi+BulGNeDgiGBpj0MF0z6CPqTbvXsz7wjzPWqSnvmBhs
xjdaOIJc60p10CQtzNTRxUpVshdmGNVRM5pqVZPsjOUKtCIn5nmi+xhGMybYb6Bc
X0rMTNL4Rg7KgorOC4zZykW060vb2m92iaYeuU242yVKPsyj/70khTpnl3ulGs71
HTakxPYIXF4iGq+4xOqcfPszWeQEivYwmGi0cUwt3KSXwGMuoFvqp88KKqqL/vnX
hV//0is7sTt/TIHZ1Sgm0qN0lJgjlNMSSg6TxESc8Mt1FClISsv3TRzp37zuecus
LM4HZ7fYMn8p2jbyaqWPqJZoPBWAmkKpdKBnUHkriepr5+lO6u9K6lsSMouDtDQH
PHZQReJ9tqIwSRQU8Mm0N3R+CgjuctwY4f7d0k4tKhUr2Zrn7Z8=
=7Ogm
-----END PGP SIGNATURE-----

--- End Message ---