On 2014-12-05 11:58, Mark Wielaard wrote:
We don't specificly track any security issues, we just treat them as bugs
to be fixed and do a new release when enough/important bugs have been fixed.
There have been people who have filed CVEs against elfutil bugs though.
I don't have any experience with
On Sun, Dec 28, 2014 at 11:00:48PM +0300, Alexander Cherepanov wrote:
> >Is your example something that is actually produced by another ar
> >implementation? Or is it an example of a bad long file name that
> >we don't handle properly?
>
> Yes, this is a constructed example of a malicious file. An
On 2014-12-27 14:42, Mark Wielaard wrote:
On Sat, Dec 27, 2014 at 04:31:14AM +0300, Alexander Cherepanov wrote:
On 2014-12-27 01:00, Mark Wielaard wrote:
diff --git a/src/strings.c b/src/strings.c
index f60e4b4..d1eb7b2 100644
--- a/src/strings.c
+++ b/src/strings.c
@@ -725,8 +725,21 @@ read_el
On 2014-12-28 14:54, Mark Wielaard wrote:
On Sun, Dec 28, 2014 at 02:46:15AM +0300, Alexander Cherepanov wrote:
There is a directory traversal in `ar`:
# printf '!\n%-48s%-10s`\n//file/\n%-48s%-10s`\n' // 8 /1 0 > test.a
# ar -xv test.a
x - /file
Patch attached.
Thanks, but I think we need a
On Sun, Dec 28, 2014 at 02:46:15AM +0300, Alexander Cherepanov wrote:
> There is a directory traversal in `ar`:
>
> # printf '!\n%-48s%-10s`\n//file/\n%-48s%-10s`\n' // 8 /1 0 > test.a
> # ar -xv test.a
> x - /file
>
> Patch attached.
Thanks, but I think we need a bit more background.
Unfortunat
