On Fri, Dec 31, 2004 at 10:40:40PM +0000, kristerw@netbsd.org wrote:
> Synopsis: ...pkgsrc/archivers/arc has a warning (potential buffer overflow)
> 
> State-Changed-From-To: open->feedback
> State-Changed-By: kristerw@netbsd.org
> State-Changed-When: Fri, 31 Dec 2004 22:40:39 +0000
> State-Changed-Why:
> Thank you for the patch.  The license for this software is however
> "this program may be distributed freely so long as you don't modify
> it in any way", and I assume that this program is used in such a way

That would only prevent making a binary package, as I understand it.
(Or doing "make patch" and then redistributing the patched sources.)

I think that there is a long tradition of distributing patches to
software that you cannot directly redistribute.  In fact, I believe
that BSD fell into that category for quite some time, before the
patches were so numerous and extensive that the people just replaced
the remaining AT&T code (or so they thought until AT&T decided to
sue).

Looking at the patches/* files, I see that it already has two patches.
Are you preparing to remove those patches as well, on the grounds
that modified versions of the software can't be redistributed?

I am all for respecting the original author's wishes.  I do not
see that distributing patches runs against what the author has
asked, though.  And if it does, then we need to drop the other
patches.  I don't see degree of "necessity" as in any way a
factor here: Either it is okay to include patches in pkgsrc, or
it is not.


> that the potential buffer overflow does not cause any problems in
> real life.  So I would like to close this PR without applying the patch.
> Is that OK with you?

I think that at least a crash can be induced.  An automated process that
relies upon arc could be put under DoS if fed .arc archives from arbitrary
sources.

Since the buffer is not put on the stack, it seems, I agree that it
probably couldn't be used to run arbitrary code.


-- 
  "I probably don't know what I'm talking about."  http://www.olib.org/~rkr/