This appears to be a regression introduced by busybox 1:1.27.2-1ubuntu4:
* SECURITY UPDATE: directory traversal via tar symlink extraction
- debian/patches/CVE-2011-5325-2.patch: do not extract unsafe symlinks
unless env variable is set in archival/libarchive/Kbuild.src,
archival/libarchive/data_extract_all.c,
archival/libarchive/unsafe_symlink_target.c, archival/tar.c,
coreutils/link.c, include/bb_archive.h, libbb/copy_file.c,
testsuite/tar.tests.
- CVE-2011-5325
[...]
-- Marc Deslauriers <marc.deslauri...@ubuntu.com> Fri, 24 Nov 2017
12:55:21 -0500
Marc, this patch seems to have not been included upstream in Debian, and
it's definitely a behavior difference vs. the other tar implementations
as used by debootstrap (i.e. GNU tar). Is this actually fixing a
security vulnerability, or is it an attempt to mitigate future unknown
vulnerabilities?
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-5325
** Package changed: base-installer (Ubuntu) => busybox (Ubuntu)
** Changed in: busybox (Ubuntu)
Assignee: Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) =>
Marc Deslauriers (mdeslaur)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1737662
Title:
Unable to install ubuntu1804 build with Debootstrap warning on
witherspoon system
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1737662/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
