Hi Michael, Moritz, (finally found time to circle back to busybox)
Thanks Michael for your feedback (also thanks to the reply the other mail which outlined the plan) With your explanation I'd say it would make sense to enable CONFIG_FEATURE_PATH_TRAVERSAL_PROTECTION, possibly with some NEWS entry to document the behavioural change. OTOH there is no need to rush this, and looking at the security tracker I believe we will see further fixes for oldstable and older down the road, so we can take the time to properly discuss this with all teams. So I guess I will first focus on closing the LTS -> oldstable gap first, (IOW I'll perpare an upload for CVE-2022-48174, CVE-2023-42364, CVE-2023-42365 and CVE-2023-42363 via olstable-proposed-updates) and then go from there. -- Cheers, tobi On Mon, Feb 02, 2026 at 12:22:31AM +0300, Michael Tokarev wrote: > On 2/2/26 00:05, Moritz Mühlenhoff wrote: > > On Sun, Feb 01, 2026 at 07:24:43PM +0100, Tobias Frost wrote: > > > https://salsa.debian.org/lts-team/packages/busybox/-/tree/debian/bookworm-CVE-2023-39810 > > > > > > However, strictly spoken the fix for this CVE changes busybox behaviour, > > > as directory traversal was "allowed" before and disallowing it is a > > > behavioral change. > > > > The patch doesn't change the default, so that seems fine to backport. > > The patch itself doesn't, but it doesn't fix the issue either. > After I applied that patch (in unstable), I also enabled the config > option it introduces - > > CONFIG_FEATURE_PATH_TRAVERSAL_PROTECTION=y > > There's no reason to apply the patch but not the config option. > > On the other hand, this is actually not that bad of change. > Yes, it's change in behaviour but not that bad, in my opinion. > > On the other hand, - usage of unarchival utilities from busybox in > debian is very limited, since real tools (tar, cpio, unzip, etc > packages) are used instead. From this perspective, both the issue > becomes much less important, and its fixing, even if change in > behaviour, becomes much less risky. > > In my view, the only place where you might extract an archive using > busybox is some sort of rescue system, where you copied some file > from another system in an usb flash and extract it on a broken > system using busybox's tar or unzip, - that's basically it. > > Thanks, > > /mjt
signature.asc
Description: PGP signature
