Re: bsdcpio and bsdtar installed by default

[Alistair Crooks <agc%pkgsrc.org@localhost>]

On Tue, Jun 24, 2008 at 02:47:57PM +0200, Joerg Sonnenberger wrote:
> On Tue, Jun 24, 2008 at 06:03:17AM +0200, Tonnerre Lombard wrote:
> > On the other hand, we depend on GNU Tar and pax heavily for our code.
> > Are you sure these have been audited to the appropriate level?
> 
> GNU tar certainly had more than one major security issue.
> For pkgsrc, we have at least one arbitrary code and one arbitrary file
> overwrite issue.

Sendmail has had a number of security issues, too. NetBSD and pkgsrc
do not rely on it, either. What's your point?
 
> > Especially our pax appears to be so unimportant that it is not even
> > mentioned as an audit target. I'm not sure this is such a better base
> > for security assumptions.
> 
> pax doesn't handle any non-trivial file formats (e.g. basically fixed
> records only) and therefore is literally dumb enough to avoid most
> issues.

To paraphrase your argument - pax is dumb, so it's not a problem.  But
newer software, written with previous exploits in mind, has been found
to have 3 vulnerabilities, all of which have been fixed. I'm not sure
I believe what you're saying - but that's what started this discussion
in the first place.

> But of course, this is part of the problem that started this
> discussion.

Not really.  The problem that started this part of the discussion was
that we weren't informed of the CVEs relating to libarchive; its use
is likely to be as the root user on a number of archives.  Executing
arbitrary code in this usage model is somerthing I'm concerned about. 
I believe you should have been, too. Disclose information up front,
please, so that people know all the pertinent issues.

Thanks,
Alistair