A little history about this issue: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304
> On May 14, 2016, at 12:17 PM, Tim Kientzle <t...@kientzle.com> wrote: > > Many people consider the traditional behavior to be a security risk, which is > why this was changed. > > FreeBSD is welcome to make --insecure the default on FreeBSD, but I'm > reluctant to do that in the upstream libarchive project. > > Tim > > >> On May 12, 2016, at 8:54 AM, Martin Matuska <m...@freebsd.org> wrote: >> >> Looks like we have to remove line #174 from cpio/cpio.c: >> cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS; >> >> This breaks traditional cpio behavior. >> >> Quoting Martin Matuska <m...@freebsd.org>: >> >>> Hi Michael, I have looked at the source and this is an intended change in >>> 3.2.0. >>> >>> An absolute path security check was added, cpio refuses to extract or copy >>> over absolute paths. To do this anyway the "--insecure" flag must be used. >>> >>> Here is the commit: >>> https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526 >>> >>> Quoting Michael Butler <i...@protected-networks.net>: >>> >>>> It seems that today's libarchive update breaks cpio's behaviour: >>>> >>>> sudo ezjail-admin update -i -s /usr/src >>>> >>>> [ .. ] >>>> >>>> cd /usr/src/etc/..; install -o root -g wheel -m 444 COPYRIGHT >>>> /usr/local/jails/fulljail/ >>>> install -o root -g wheel -m 444 >>>> /usr/src/etc/../sys/i386/conf/GENERIC.hints >>>> /usr/local/jails/fulljail/boot/device.hints >>>> /usr/local/jails/basejail/bincpio: bin: Path is absolute: Unknown error: -1 >>>> >>>> /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is absolute: >>>> Unknown error: -1 >>>> >>>> /usr/local/jails/basejail/bin/chflagscpio: bin/chflags: Path is >>>> absolute: Unknown error: -1 >>>> >>>> /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is absolute: >>>> Unknown error: -1 >>>> >>>> /usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is absolute: >>>> Unknown error: -1 >>>> >>>> /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is absolute: Unknown >>>> error: -1 >>>> >>>> /usr/local/jails/basejail/bin/datecpio: bin/date: Path is absolute: >>>> Unknown error: -1 >>>> >>>> /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is absolute: Unknown >>>> error: -1 >>>> >>>> /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is absolute: Unknown >>>> error: -1 >>>> >>>> /usr/local/jails/basejail/bin/domainnamecpio: bin/domainname: Path is >>>> absolute: Unknown error: -1 >>>> [ .. etc. .. ] >>> >>> >>> >>> Martin Matuska >>> FreeBSD committer >>> http://blog.vx.sk >> >> >> >> Martin Matuska >> FreeBSD committer >> http://blog.vx.sk > _______________________________________________ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
