libarchive-2.8.4nb3 has a multiple-vulnerabilities vulnerability

To: pkgsrc-users%NetBSD.org@localhost
Subject: libarchive-2.8.4nb3 has a multiple-vulnerabilities vulnerability
From: "J. Lewis Muir" <jlmuir%imca-cat.org@localhost>
Date: Wed, 16 Apr 2014 14:06:09 -0500

Hello.

I'm tracking pkgsrc-2014Q1, and "pkg_admin audit" reports the following:

Package libarchive-2.8.4nb3 has a multiple-vulnerabilities vulnerability, see 
http://secunia.com/advisories/47049/

I briefly looked in archivers/libarchive to see about submitting a
patch, but it seems it's not a standard package.  It seems to contain
the entire source distribution in archivers/libarchive/files rather than
downloading a source distribution file and possibly patching it.  I'm
not a pkgsrc expert, but my guess is that this is done because it's
needed for bootstrapping (?).

Also strange is that what's under archivers/libarchive/files is not
exactly the same as what I get if I download libarchive-2.8.4.tar.gz
from www.libarchive.org.  I would have thought that such changes would
be encapsulated in commented patch files.

Is there a plan to upgrade libarchive to 2.8.5 or to patch it so that
it's no longer vulnerable?

Thanks!

Lewis

Follow-Ups:
- Re: libarchive-2.8.4nb3 has a multiple-vulnerabilities vulnerability
  - From: J. Lewis Muir

Prev by Date: Re: patch to get SDL to build under Mac OS X Mavericks
Next by Date: pulseaudio on OSX 10.8
Previous by Thread: WILL TO YOU
Next by Thread: Re: libarchive-2.8.4nb3 has a multiple-vulnerabilities vulnerability
Indexes:

Home | Main Index | Thread Index | Old Index