CC: debian security team, they set security policy, not me.
>>>>> "Joey" == Joey Hess <[EMAIL PROTECTED]> writes:
Joey> I don't really want to argue about whether this is a securty
Joey> hole or try to dream up scenarios where compromised backups
Joey> are used to exploit a system during a restore. If you don't
Joey> think it's a security hole, that's fine.
I was after anybodies opinion on this matter, but nobody responded
(until now).
Joey> However, the fact that the package is statically linked to a
Joey> version of gzip remains, and this version of gzip has a bug
Joey> which causes certian input streams to crash it. Having your
Joey> restore crash in the middle because some bits got flipped in
Joey> the backup is probably not much fun. Recompiling the
Joey> package to eliminate this possibility seems like a trivial
Joey> thing and a good idea.
I don't think this meets the requirements of a security update. Maybe
a point release update (or what ever they are called).
Joey> Also, there will be security holes^W^Wbugs in gzip in the
Joey> future, so statically linking it is a bad thing in general.
If you don't want a static version of dar, then use dar instead of
dar-static. dar-static is only intended for special cases when you
might need a static library (eg. restoring an entire system from
scratch).
--
Brian May <[EMAIL PROTECTED]>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
