bug-cpio
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

cpio-2.13 relative symlink handling with --no-absolute-filenames


From: Mike Gilbert
Subject: cpio-2.13 relative symlink handling with --no-absolute-filenames
Date: Fri, 15 Nov 2019 13:07:25 -0500

We received a bug report about broken symlinks being generated from a
cpio archive unpacked using the "dracut-initramfs-restore" utility.

https://bugs.gentoo.org/700020

https://github.com/dracutdevs/dracut/blob/ff2043fb4244b0ba740724921e9667aad19f262a/dracut-initramfs-restore.sh#L28

This shell script unpacks an initramfs image to /run/initramfs to be
used when shutting down a Linux system.

If the initramfs image contains any symlinks that refer to a parent
directory (..), cpio --no-absolute-filenames strips the leading ".."
and generates a symlink that points to the wrong place. For example,
say we have the following structure in a cpio archive:

./bin/systemctl (regular file)
./sbin/reboot -> ../bin/systemctl (symlink)

cpio-2.12 extracts this correctly. With cpio-2.13, we end up with this:

./bin/systemctl
./sbin/reboot -> bin/systemctl (broken symlink)

As well, with cpio-2.13, the following message is output:

"Removing leading `../' from hard link targets"

We think this may be an unintended consequence of a patch that was
applied to address CVE-2015-1197. Was this change in behavior for
relative symlinks intended, or is this a bug?

--
Mike Gilbert



reply via email to

[Prev in Thread] Current Thread [Next in Thread]