Re: libarchive-2.8.4nb3 has a multiple-vulnerabilities vulnerability

["J. Lewis Muir" <jlmuir%imca-cat.org@localhost>]

On Wed, Apr 16, 2014 at 02:06:09PM -0500, J. Lewis Muir wrote:
> Hello.
> 
> I'm tracking pkgsrc-2014Q1, and "pkg_admin audit" reports the
> following:
> 
> Package libarchive-2.8.4nb3 has a multiple-vulnerabilities
> vulnerability, see http://secunia.com/advisories/47049/
> 
> I briefly looked in archivers/libarchive to see about submitting a
> patch, but it seems it's not a standard package.  It seems to contain
> the entire source distribution in archivers/libarchive/files rather
> than downloading a source distribution file and possibly patching it.
> I'm not a pkgsrc expert, but my guess is that this is done because
> it's needed for bootstrapping (?).
> 
> Also strange is that what's under archivers/libarchive/files is not
> exactly the same as what I get if I download libarchive-2.8.4.tar.gz
> from www.libarchive.org.  I would have thought that such changes would
> be encapsulated in commented patch files.
> 
> Is there a plan to upgrade libarchive to 2.8.5 or to patch it so that
> it's no longer vulnerable?
> 
> Thanks!
> 
> Lewis

Ping.

I'm probably not the best person to fix this, but if it's a problem of
finding someone to do the work, would developers be open to a patch (or
tarball) from me to upgrade to libarchive 2.8.5?

Or maybe this has a history that I don't know about, and there's a
reason why it hasn't been upgraded.  It seems like libarchive has been
vulnerable in pkgsrc for a while now.  Is everyone else fine with this
vulnerability continuing to exist?  Or perhaps everyone understands it
and knows it's not a real problem?

Jonathan Perkins, what do you do at Joyent?  Do all your systems contain
this vulnerable version of libarchive and that's OK with you?

Thanks!

Lewis