207965 – [nanobsd] regression during disk image build after CVE-2015-2304 fix/libarchive 3.2.0 update

Bug 207965 - [nanobsd] regression during disk image build after CVE-2015-2304 fix/libarchive 3.2.0 update

Summary: [nanobsd] regression during disk image build after CVE-2015-2304 fix/libarchi...

Status:	Closed Overcome By Events

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	conf (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-03-14 01:25 UTC by Jason Unovitch
Modified:	2016-06-26 00:28 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
add --insecure to cpio calls (1.43 KB, patch) 2016-05-14 12:50 UTC, Jason Unovitch	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jason Unovitch freebsd_committer

2016-03-14 01:25:25 UTC

The nanobsd script is relying on behaviour that has been patched in the next release of libarchive (https://github.com/libarchive/libarchive/commit/5935715).

Excerpt from /usr/obj/nanobsd.soekris/_.di

Populating s1a from /usr/obj/nanobsd.soekris/_.w
/usr/obj/nanobsd.soekris/_.mnt/.cpio: .: Path is absolute: Unknown error: -1

/usr/obj/nanobsd.soekris/_.mnt/./varcpio: ./var: Path is absolute: Unknown error: -1

This prevents building a good image.  I haven't dug into a suggested fix as of yet.

See also:
- https://github.com/libarchive/libarchive/pull/110
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304

Comment 1 Jason Unovitch freebsd_committer

2016-03-14 01:27:32 UTC

Left as impacts only me.  The commit in question that would cause this issue is part of bug 206386 and the libarchive 3.2.0 release is only in the alpha stages at this time (https://github.com/libarchive/libarchive/releases/tag/v3.1.900a).

I'll revisit when I get the time.

Comment 2 Jason Unovitch freebsd_committer

2016-05-14 12:50:08 UTC

Created attachment 170272 [details]
add --insecure to cpio calls

Use --insecure to on cpio(1) calls

As of libarchive-3.2.0, extraction to absolute paths is considered an insecure behavior to address CVE-2015-2304.  The --insecure flag must to used to allow extraction to absolute paths.

Comment 3 Jason Unovitch freebsd_committer

2016-05-14 12:55:23 UTC

Turns out we relied on absolute path extraction in multiple places as it broke ports as well after the 3.2.0 update [1] and the commit was reverted shortly after [2].

[1] https://svnweb.freebsd.org/base?view=revision&revision=299529
[2] https://svnweb.freebsd.org/base?view=revision&revision=299576

As per the new cpio(1) manual, --insecure is needed for:
"This allows extraction via symbolic links, absolute paths, and path names containing .. in the name."

On r299575 before the revert, the image builds are broken with the "Path is absolute" failure before applying this change and fixed afterwards.  There is also no change to building a good image by using --insecure on r299278 before the update.

Comment 4 Jason Unovitch freebsd_committer

2016-06-26 00:28:16 UTC

This was fixed after https://svnweb.FreeBSD.org/changeset/base/299896 which imported the upstream commit to fix behaviour of the -p/--pass-through flag.  This PR is now overcome by events with that fixed in upstream libarchive.