[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: bsdcpio and bsdtar installed by default
On Tue, Jun 24, 2008 at 02:47:57PM +0200, Joerg Sonnenberger wrote:
> On Tue, Jun 24, 2008 at 06:03:17AM +0200, Tonnerre Lombard wrote:
> > On the other hand, we depend on GNU Tar and pax heavily for our code.
> > Are you sure these have been audited to the appropriate level?
> GNU tar certainly had more than one major security issue.
> For pkgsrc, we have at least one arbitrary code and one arbitrary file
> overwrite issue.
Sendmail has had a number of security issues, too. NetBSD and pkgsrc
do not rely on it, either. What's your point?
> > Especially our pax appears to be so unimportant that it is not even
> > mentioned as an audit target. I'm not sure this is such a better base
> > for security assumptions.
> pax doesn't handle any non-trivial file formats (e.g. basically fixed
> records only) and therefore is literally dumb enough to avoid most
To paraphrase your argument - pax is dumb, so it's not a problem. But
newer software, written with previous exploits in mind, has been found
to have 3 vulnerabilities, all of which have been fixed. I'm not sure
I believe what you're saying - but that's what started this discussion
in the first place.
> But of course, this is part of the problem that started this
Not really. The problem that started this part of the discussion was
that we weren't informed of the CVEs relating to libarchive; its use
is likely to be as the root user on a number of archives. Executing
arbitrary code in this usage model is somerthing I'm concerned about.
I believe you should have been, too. Disclose information up front,
please, so that people know all the pertinent issues.
Main Index |
Thread Index |