[Bug 207965] [nanobsd] regression during disk image build after CVE-2015-2304 fix/libarchive 3.2.0 update
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sat May 14 12:55:23 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207965
--- Comment #3 from Jason Unovitch <junovitch at freebsd.org> ---
Turns out we relied on absolute path extraction in multiple places as it broke
ports as well after the 3.2.0 update [1] and the commit was reverted shortly
after [2].
[1] https://svnweb.freebsd.org/base?view=revision&revision=299529
[2] https://svnweb.freebsd.org/base?view=revision&revision=299576
As per the new cpio(1) manual, --insecure is needed for:
"This allows extraction via symbolic links, absolute paths, and path names
containing .. in the name."
On r299575 before the revert, the image builds are broken with the "Path is
absolute" failure before applying this change and fixed afterwards. There is
also no change to building a good image by using --insecure on r299278 before
the update.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list