Activity log for bug #238883
| Date | Who | What changed | Old value | New value | Message |
|---|---|---|---|---|---|
| 2008-06-10 14:52:30 | Jonathan Riddell | bug | added bug | ||
| 2008-06-13 15:45:37 | Martin Pitt | libzip: status | New | Incomplete | |
| 2008-06-13 15:45:37 | Martin Pitt | libzip: assignee | ubuntu-security | ||
| 2008-08-22 18:47:40 | Jonathan Riddell | libzip: statusexplanation | This has been blocking for long enough. Moved to main and set to beta milestone. | ||
| 2008-08-22 18:47:40 | Jonathan Riddell | libzip: milestone | ubuntu-8.10-beta | ||
| 2008-09-17 20:52:05 | Jamie Strandboge | libzip: assignee | ubuntu-security | jdstrand | |
| 2008-09-17 20:52:05 | Jamie Strandboge | libzip: statusexplanation | This has been blocking for long enough. Moved to main and set to beta milestone. | Sorry for the delay on this. I'll be looking at it now and comment within the next couple days. | |
| 2008-09-24 19:35:21 | Jamie Strandboge | libzip: status | Incomplete | Fix Released | |
| 2008-09-24 19:35:21 | Jamie Strandboge | libzip: statusexplanation | Sorry for the delay on this. I'll be looking at it now and comment within the next couple days. | Summary: I'm comfortable recommending libzip for main Discussion: While not an exhaustive review, I looked into: no format string issues or warnings There is use of strcpy(), but its use is verified as ok It has some interesting use of umask(), but seems ok There is what appears to be a potentially dodgy mkstemp implementation, but libzip doesn't compile it in on Ubuntu I spent a bit of time in one function checking out if a static buffer could be overflowed and verified the signed math is safe, and all appears ok. The above spot checks along with the good security history and the new compiler hardening options on by default leads me to believe libzip won't be too much trouble. |
