[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Regression in handling of CVE-2015-1197 & --no-absolute-filenames breaks

From: Chris Lamb
Subject: Regression in handling of CVE-2015-1197 & --no-absolute-filenames breaks symlinks starting with /
Date: Wed, 08 Jan 2020 14:38:06 +0000
User-agent: Cyrus-JMAP/3.1.7-731-g1812a7f-fmstable-20200106v2

[please retain any CCs when replying; I am not subscribed to the list]

Dear cpio maintainers,

(I am not the Maintainer of cpio in Debian so was not alerted to the
issue until recently, but was asked to look into this.)

The following bug was filed in Debian:


… which reports a recent regression in cpio whereby --no-absolute-
filenames breaks the extraction of symlinks starting with /.

The reporter of the issue suggests that:

> This regression is because the upstream fix for CVE-2015-1197
> mangles the symlinks in this way:
> https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=45b0ee2b407913c533f7ded8d6f8cbeec16ff6ca

The reporter, Raphael, correctly points out that the "original SuSE
patch" that Debian had used prior to an upstream-included fix for this
CVE had a different behaviour in that "it would not change the
symlinks but it would refuse to extract over a symlink."

However, I'm not quite sure about what the fix should actually be here
as reverting the upstream fix for CVE-2015-1197 and reapplying the
SuSE patch doesn't feel right at all, hence reaching out to you for
advice. I hope you can help.

Best wishes,

     : :'  :     Chris Lamb
     `. `'`      address@hidden 🍥 chris-lamb.co.uk

reply via email to

[Prev in Thread] Current Thread [Next in Thread]