Re: bsdcpio and bsdtar installed by default

[Alistair Crooks <agc%pkgsrc.org@localhost>]

On Sun, Jun 22, 2008 at 11:10:29AM +0200, Tonnerre Lombard wrote:
> Salut, Alistair,
> 
> On Sun, 22 Jun 2008 08:13:19 +0100, Alistair Crooks wrote:
> >     http://www.novell.com/linux/security/advisories/2007_15_sr.html
> > 
> > has an interesting section about security problems in libarchive.
> > 
> >    - libarchive security problems
> > 
> >      Several problems in libarchive were fixed.
> > 
> >      Specially crafted tar-archives could cause programs based on
> >      libarchive to crash, to run into an endless loop or potentially
> >      to even execute arbitrary code (CVE-2007-3641, CVE-2007-3644,
> >      CVE-2007-3645).
> > 
> > Is this the same libarchive that you want to see us move towards?
> 
> Most likely, but if you have a look at these CVEs, you will realize
> that they have all been fixed upstream.
> 
> It is not a flaw of an application to have security problems as long as
> it is not a systematic problem (like with PHP, for example).

In software engineering (as opposed to the "rewrite it because I can't
understand it" clueless lemming spree that is being espoused in some
places), most errors occur in places where the code was last changed.

Does libarchive have a comprehensive set of regression tests to make
sure that no bugs have crept back in? Or a test suite at all?

I would certainly hope that the bugs had been fixed upstream.  But
that doesn't alter the fact that there were exploitable bugs, and so
my confidence in this software is less than it was.  Not just
exploitable bugs - "potentially to even execute arbitrary code" bugs.

Please remind me again when this code was audited, and by whom.

Thanks,
Al