Hi, Am 03.08.2018 um 00:27 schrieb jhcha54008: > Hi again, > > I haven't studied thoroughly the code of busybox. > But with the patch below applied I recover the expected > behaviour of busybox cpio on the example archive.cpio.gz > from the previous message. > > I hope it will help to find a solution > > Thank you for your work to keep jessie usable ! Upstream made several commits regarding CVE-2011-5325 in the past. As Chris already mentioned before this is upstream bug https://bugs.busybox.net/show_bug.cgi?id=8411 Your suggested change to extract symlinks the same way tar does makes sense. Upstream made this change months later in https://git.busybox.net/busybox/commit/archival/cpio.c?id=d9503224c8a93a30b0c8627084b2744d3ee6f403 I believe we can safely apply it for Jessie. Thanks for your help in debugging this issue! Regards, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature