MIR report for unzoo

Bug #261938 reported by Leonel Nunez
6
Affects Status Importance Assigned to Milestone
unzoo (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: unzoo

MIR Report :https://wiki.ubuntu.com/MainInclusionReportUnzoo

Revision history for this message
Martin Pitt (pitti) wrote :

I don't really like this. The source code only declares statically sized buffers and makes *no* attempt on bounds checking. I. e. it is not hard to create fuzzified zoo archives which create exploitable stack overflows, etc. Also, upstream hasn't updated the program in 6 years. I guess the fact that .zoo archives aren't popular contributes to the fact of being dead upstream and not being examined by security analysts.

Do you consider zoo archives important enough to warrant the Recommends: in clamav? If so, and the MIR should stand, the code needs some serious overhaul.

Third issue is that zoo archives are

Changed in unzoo:
status: New → Incomplete
Revision history for this message
Martin Pitt (pitti) wrote :

Ignore the third paragraph with the unfinished sentence, please.

Revision history for this message
Scott Kitterman (kitterman) wrote : Re: [Bug 261938] Re: MIR report for unzoo

I'd hoped not to diverge from Debian without a good reason. This sounds
like a good reason. I'll discuss dropping it to suggests with them also.

Revision history for this message
Martin Pitt (pitti) wrote :

Seems it's not necessary any more.

Changed in unzoo:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers