[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
cpio-2.13 relative symlink handling with --no-absolute-filenames
|
From: |
Mike Gilbert |
|
Subject: |
cpio-2.13 relative symlink handling with --no-absolute-filenames |
|
Date: |
Fri, 15 Nov 2019 13:07:25 -0500 |
We received a bug report about broken symlinks being generated from a
cpio archive unpacked using the "dracut-initramfs-restore" utility.
https://bugs.gentoo.org/700020
https://github.com/dracutdevs/dracut/blob/ff2043fb4244b0ba740724921e9667aad19f262a/dracut-initramfs-restore.sh#L28
This shell script unpacks an initramfs image to /run/initramfs to be
used when shutting down a Linux system.
If the initramfs image contains any symlinks that refer to a parent
directory (..), cpio --no-absolute-filenames strips the leading ".."
and generates a symlink that points to the wrong place. For example,
say we have the following structure in a cpio archive:
./bin/systemctl (regular file)
./sbin/reboot -> ../bin/systemctl (symlink)
cpio-2.12 extracts this correctly. With cpio-2.13, we end up with this:
./bin/systemctl
./sbin/reboot -> bin/systemctl (broken symlink)
As well, with cpio-2.13, the following message is output:
"Removing leading `../' from hard link targets"
We think this may be an unintended consequence of a patch that was
applied to address CVE-2015-1197. Was this change in behavior for
relative symlinks intended, or is this a bug?
--
Mike Gilbert
- cpio-2.13 relative symlink handling with --no-absolute-filenames,
Mike Gilbert <=