On Sun, Nov 04, 2007 at 06:21:34PM +1100, Steffen Joeris wrote: > The following CVE[0] was issued for tar, but it seems that cpio is also > affected. > > CVE-2007-4476: > > Buffer overflow in the safer_name_suffix function in GNU tar has > unspecified attack vectors and impact, resulting in a "crashing stack." > > You can find a patch in the tar bugreport[1]. The code in question can > be found in lib/paxnames.c .
The patch does not apply cleanly (hunk #1 fails even if the filename is changed to lib/paxnames.c ). Furthermore, a quick glance suggests to me that this code isn't actually being used. Am I wrong? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]