tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bsdcpio and bsdtar installed by default

Salut, Alistair,

On Sun, 22 Jun 2008 08:13:19 +0100, Alistair Crooks wrote:
> has an interesting section about security problems in libarchive.
>    - libarchive security problems
>      Several problems in libarchive were fixed.
>      Specially crafted tar-archives could cause programs based on
>      libarchive to crash, to run into an endless loop or potentially
>      to even execute arbitrary code (CVE-2007-3641, CVE-2007-3644,
>      CVE-2007-3645).
> Is this the same libarchive that you want to see us move towards?

Most likely, but if you have a look at these CVEs, you will realize
that they have all been fixed upstream.

It is not a flaw of an application to have security problems as long as
it is not a systematic problem (like with PHP, for example).


Attachment: signature.asc
Description: PGP signature

Home | Main Index | Thread Index | Old Index