* [PATCH] devtool: deploy-target: support "unsafe" symlinks
@ 2019-02-26 9:39 Olaf Mandel
2019-02-26 23:11 ` Andre McCurdy
0 siblings, 1 reply; 4+ messages in thread
From: Olaf Mandel @ 2019-02-26 9:39 UTC (permalink / raw)
To: openembedded-core; +Cc: Olaf Mandel
The bosybox version of tar considers symlink targets that start with /
or with ../ to be unsafe and refuses to unpack them unless the
EXTRACT_UNSAFE_SYMLINKS environment variable is set to 1.
As even many core packages legitimately contain such links (e.g.
coreutils-locale-*, dropbear, eudev, initscripts, kmod, ...), add the
environment variable to the remote script.
---
scripts/lib/devtool/deploy.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/scripts/lib/devtool/deploy.py b/scripts/lib/devtool/deploy.py
index f345f31b7b..9617388f90 100644
--- a/scripts/lib/devtool/deploy.py
+++ b/scripts/lib/devtool/deploy.py
@@ -114,6 +114,7 @@ def _prepare_remote_script(deploy, verbose=False, dryrun=False, undeployall=Fals
lines.append('rm $3')
lines.append('mkdir -p `dirname $manifest`')
lines.append('mkdir -p $2')
+ lines.append('export EXTRACT_UNSAFE_SYMLINKS=1')
if verbose:
lines.append(' tar xv -C $2 -f - | tee $manifest')
else:
--
2.11.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] devtool: deploy-target: support "unsafe" symlinks
2019-02-26 9:39 [PATCH] devtool: deploy-target: support "unsafe" symlinks Olaf Mandel
@ 2019-02-26 23:11 ` Andre McCurdy
2019-02-27 9:10 ` [PATCH v2] " Olaf Mandel
0 siblings, 1 reply; 4+ messages in thread
From: Andre McCurdy @ 2019-02-26 23:11 UTC (permalink / raw)
To: Olaf Mandel; +Cc: OE Core mailing list
On Tue, Feb 26, 2019 at 1:40 AM Olaf Mandel <o.mandel@menlosystems.com> wrote:
>
> The bosybox version of tar considers symlink targets that start with /
> or with ../ to be unsafe and refuses to unpack them unless the
> EXTRACT_UNSAFE_SYMLINKS environment variable is set to 1.
>
> As even many core packages legitimately contain such links (e.g.
> coreutils-locale-*, dropbear, eudev, initscripts, kmod, ...), add the
> environment variable to the remote script.
Upstream Busybox seems to have a different solution, so perhaps worth
adding a comment that EXTRACT_UNSAFE_SYMLINKS is a temporary /
version-specific fix.
https://git.busybox.net/busybox/commit/?h=1_28_stable&id=37277a23fe48b13313f5d96084d890ed21d5fd8b
> ---
> scripts/lib/devtool/deploy.py | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/scripts/lib/devtool/deploy.py b/scripts/lib/devtool/deploy.py
> index f345f31b7b..9617388f90 100644
> --- a/scripts/lib/devtool/deploy.py
> +++ b/scripts/lib/devtool/deploy.py
> @@ -114,6 +114,7 @@ def _prepare_remote_script(deploy, verbose=False, dryrun=False, undeployall=Fals
> lines.append('rm $3')
> lines.append('mkdir -p `dirname $manifest`')
> lines.append('mkdir -p $2')
> + lines.append('export EXTRACT_UNSAFE_SYMLINKS=1')
> if verbose:
> lines.append(' tar xv -C $2 -f - | tee $manifest')
> else:
> --
> 2.11.0
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v2] devtool: deploy-target: support "unsafe" symlinks
2019-02-26 23:11 ` Andre McCurdy
@ 2019-02-27 9:10 ` Olaf Mandel
2019-02-27 9:14 ` Richard Purdie
0 siblings, 1 reply; 4+ messages in thread
From: Olaf Mandel @ 2019-02-27 9:10 UTC (permalink / raw)
To: openembedded-core; +Cc: Olaf Mandel
The bosybox version of tar in sumo considers symlink targets that start
with / or with ../ to be unsafe and refuses to unpack them unless the
EXTRACT_UNSAFE_SYMLINKS environment variable is set to 1.
As even many core packages legitimately contain such links (e.g.
coreutils-locale-*, dropbear, eudev, initscripts, kmod, ...), add the
environment variable to the remote script.
---
scripts/lib/devtool/deploy.py | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/scripts/lib/devtool/deploy.py b/scripts/lib/devtool/deploy.py
index f345f31b7b..dc9b34e0ee 100644
--- a/scripts/lib/devtool/deploy.py
+++ b/scripts/lib/devtool/deploy.py
@@ -114,6 +114,11 @@ def _prepare_remote_script(deploy, verbose=False, dryrun=False, undeployall=Fals
lines.append('rm $3')
lines.append('mkdir -p `dirname $manifest`')
lines.append('mkdir -p $2')
+ # Busybox tar v1.28.x (plus v1.27.2 with the CVE-2011-5325 patch)
+ # requires this env variable. The first release without this issue
+ # is thud.
+ # FIXME Remove once sumo goes out of support
+ lines.append('export EXTRACT_UNSAFE_SYMLINKS=1')
if verbose:
lines.append(' tar xv -C $2 -f - | tee $manifest')
else:
--
2.11.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2] devtool: deploy-target: support "unsafe" symlinks
2019-02-27 9:10 ` [PATCH v2] " Olaf Mandel
@ 2019-02-27 9:14 ` Richard Purdie
0 siblings, 0 replies; 4+ messages in thread
From: Richard Purdie @ 2019-02-27 9:14 UTC (permalink / raw)
To: Olaf Mandel, openembedded-core
On Wed, 2019-02-27 at 09:10 +0000, Olaf Mandel wrote:
> The bosybox version of tar in sumo considers symlink targets that
> start
> with / or with ../ to be unsafe and refuses to unpack them unless the
> EXTRACT_UNSAFE_SYMLINKS environment variable is set to 1.
>
> As even many core packages legitimately contain such links (e.g.
> coreutils-locale-*, dropbear, eudev, initscripts, kmod, ...), add the
> environment variable to the remote script.
> ---
> scripts/lib/devtool/deploy.py | 5 +++++
> 1 file changed, 5 insertions(+)
I'm tempted to suggest we backport changes to busybox in sumo to
address this...
Cheers,
Richard
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-02-27 9:14 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-26 9:39 [PATCH] devtool: deploy-target: support "unsafe" symlinks Olaf Mandel
2019-02-26 23:11 ` Andre McCurdy
2019-02-27 9:10 ` [PATCH v2] " Olaf Mandel
2019-02-27 9:14 ` Richard Purdie
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.