[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: A possible regression in busybox-static version 1:1.22.0-9+deb8u2



Hi,

Am 03.08.2018 um 00:27 schrieb jhcha54008:
> Hi again,
> 
> I haven't studied thoroughly the code of busybox.
> But with the patch below applied I recover the expected
> behaviour of busybox cpio on the example archive.cpio.gz
> from the previous message.
> 
> I hope it will help to find a solution
> 
> Thank you for your work to keep jessie usable !

Upstream made several commits regarding CVE-2011-5325 in the past. As
Chris already mentioned before this is upstream bug

https://bugs.busybox.net/show_bug.cgi?id=8411

Your suggested change to extract symlinks the same way tar does makes
sense. Upstream made this change months later in

https://git.busybox.net/busybox/commit/archival/cpio.c?id=d9503224c8a93a30b0c8627084b2744d3ee6f403

I believe we can safely apply it for Jessie.

Thanks for your help in debugging this issue!

Regards,

Markus

Attachment: signature.asc
Description: OpenPGP digital signature


Reply to: