Re: bsdcpio and bsdtar installed by default

To: tech-userlevel%NetBSD.org@localhost
Subject: Re: bsdcpio and bsdtar installed by default
From: Joerg Sonnenberger <joerg%britannica.bec.de@localhost>
Date: Tue, 24 Jun 2008 14:47:57 +0200

On Tue, Jun 24, 2008 at 06:03:17AM +0200, Tonnerre Lombard wrote:
> On the other hand, we depend on GNU Tar and pax heavily for our code.
> Are you sure these have been audited to the appropriate level?

GNU tar certainly had more than one major security issue.
For pkgsrc, we have at least one arbitrary code and one arbitrary file
overwrite issue.

> Especially our pax appears to be so unimportant that it is not even
> mentioned as an audit target. I'm not sure this is such a better base
> for security assumptions.

pax doesn't handle any non-trivial file formats (e.g. basically fixed
records only) and therefore is literally dumb enough to avoid most
issues. But of course, this is part of the problem that started this
discussion.

Joerg

Follow-Ups:
- Re: bsdcpio and bsdtar installed by default
  - From: Alistair Crooks

References:
- bsdcpio and bsdtar installed by default
  - From: Joerg Sonnenberger
- Re: bsdcpio and bsdtar installed by default
  - From: Alistair Crooks
- Re: bsdcpio and bsdtar installed by default
  - From: Tonnerre Lombard
- Re: bsdcpio and bsdtar installed by default
  - From: Alistair Crooks
- Re: bsdcpio and bsdtar installed by default
  - From: Tonnerre Lombard

Prev by Date: Re: bin/39002: harmful AWK extension: non-portable escaped character
Next by Date: Re: bin/39002: harmful AWK extension: non-portable escaped character
Previous by Thread: Re: bsdcpio and bsdtar installed by default
Next by Thread: Re: bsdcpio and bsdtar installed by default
Indexes:

Home | Main Index | Thread Index | Old Index