MIR report for unzoo
Bug #261938 reported by
Leonel Nunez
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
unzoo (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: unzoo
MIR Report :https:/
To post a comment you must log in.
I don't really like this. The source code only declares statically sized buffers and makes *no* attempt on bounds checking. I. e. it is not hard to create fuzzified zoo archives which create exploitable stack overflows, etc. Also, upstream hasn't updated the program in 6 years. I guess the fact that .zoo archives aren't popular contributes to the fact of being dead upstream and not being examined by security analysts.
Do you consider zoo archives important enough to warrant the Recommends: in clamav? If so, and the MIR should stand, the code needs some serious overhaul.
Third issue is that zoo archives are