tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bsdcpio and bsdtar installed by default

On Tue, Jun 24, 2008 at 06:03:17AM +0200, Tonnerre Lombard wrote:
> On the other hand, we depend on GNU Tar and pax heavily for our code.
> Are you sure these have been audited to the appropriate level?

GNU tar certainly had more than one major security issue.
For pkgsrc, we have at least one arbitrary code and one arbitrary file
overwrite issue.

> Especially our pax appears to be so unimportant that it is not even
> mentioned as an audit target. I'm not sure this is such a better base
> for security assumptions.

pax doesn't handle any non-trivial file formats (e.g. basically fixed
records only) and therefore is literally dumb enough to avoid most
issues. But of course, this is part of the problem that started this


Home | Main Index | Thread Index | Old Index