This appears to be a regression introduced by busybox 1:1.27.2-1ubuntu4: * SECURITY UPDATE: directory traversal via tar symlink extraction - debian/patches/CVE-2011-5325-2.patch: do not extract unsafe symlinks unless env variable is set in archival/libarchive/Kbuild.src, archival/libarchive/data_extract_all.c, archival/libarchive/unsafe_symlink_target.c, archival/tar.c, coreutils/link.c, include/bb_archive.h, libbb/copy_file.c, testsuite/tar.tests. - CVE-2011-5325 [...]
-- Marc Deslauriers <marc.deslauri...@ubuntu.com> Fri, 24 Nov 2017 12:55:21 -0500 Marc, this patch seems to have not been included upstream in Debian, and it's definitely a behavior difference vs. the other tar implementations as used by debootstrap (i.e. GNU tar). Is this actually fixing a security vulnerability, or is it an attempt to mitigate future unknown vulnerabilities? ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-5325 ** Package changed: base-installer (Ubuntu) => busybox (Ubuntu) ** Changed in: busybox (Ubuntu) Assignee: Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) => Marc Deslauriers (mdeslaur) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1737662 Title: Unable to install ubuntu1804 build with Debootstrap warning on witherspoon system To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1737662/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs