3
0
Fork 0
forked from mirrors/nixpkgs

vmTools.fillDiskWithRPMs: fix cpio use

When updating to cpio-2.13 in fe758f5fa3,
a patch from SUSE was dropped. This patch was intended to resolve
CVE-2015-1197, and introduced the '--extract-over-symlink' option to
disable its own effects.

The CVE-2015-1197 was fixed in cpio-2.13 release[1] by other means,
making this patch useless.

Given that this patch is no longer used, we do not need to disable its
effects anymore with the `--extract-over-symlink` argument switch.

This Commit fixes #74984

[1] https://lists.gnu.org/archive/html/info-gnu/2019-11/msg00002.html
This commit is contained in:
Lancelot SIX 2019-12-08 18:13:40 +01:00 committed by Bjørn Forsman
parent eeda68a88e
commit 337cd5cc8a

View file

@ -430,7 +430,7 @@ rec {
set +o pipefail
for i in $rpms; do
echo "$i..."
${rpm}/bin/rpm2cpio "$i" | chroot /mnt ${cpio}/bin/cpio -i --make-directories --unconditional --extract-over-symlinks
${rpm}/bin/rpm2cpio "$i" | chroot /mnt ${cpio}/bin/cpio -i --make-directories --unconditional
done
eval "$preInstall"