zoo contains exploitable buffer overflows
Hans de Goede
j.w.r.degoede at hhs.nl
Mon Feb 27 10:06:07 UTC 2006
Nicolas Mailhot wrote:
>
> What is the general feeling on the list?
>
> 1. apply the patch (or a cleaner one if someone writes one - not me my C
> is much too rusty) and trust other problems will be caught by glibc?
>
> 2. do not apply the patch, trust glibc to catch problems?
>
I would rather not trust glibc, it might very well do its job, but I
would rather just see the code fixed.
> 3. pull zoo from FE, instruct current users like amavisd-new to kill zoo
> files on sight instead of trying to check them, make them conflict with
> zoo to make sure it's removed from user systems?
>
> 4. a mix of all this, depending on the FE version?
>
Hmm, dunno. What about:
5. Get someone todo a proper audit (how big is it anyways, I recently
completed an audit of scorched3d which is huge).
6. Find a replacement:
I've been thinking about packaging http://sourceforge.net/projects/sevenzip
Recently as that will give us opensource support for arj, rar and cab
all in one utility, I dunno if it supports zoo format too, it does
support lots of other formats.
Regards,
Hans
More information about the Fedora-maintainers
mailing list