Re: cvs commit: src/contrib/tar/src misc.c src/sys/dev/random yarrow.c

From: Simon L. Nielsen <simon_at_FreeBSD.org>
Date: Thu, 29 Nov 2007 21:23:35 +0100
On 2007.11.29 18:00:38 +0000, Alexey Dokuchaev wrote:
> On Thu, Nov 29, 2007 at 04:08:54PM +0000, Simon L. Nielsen wrote:
> > simon       2007-11-29 16:08:54 UTC
> > 
> >   FreeBSD src repository
> > 
> >   Modified files:        (Branch: RELENG_5)
> >     contrib/tar/src      misc.c 
> >     sys/dev/random       yarrow.c 
> >   Log:
> >   Correct a random value disclosure in random(4). [07:09]
> >   
> >   Correct a gtar directory traversal vulnerability. [07:10]
> >   
> >   Security:       FreeBSD-SA-07:09.random
> >   Security:       FreeBSD-SA-07:10.gtar
> 
> Is 4.x vulnerable?

For gtar, very likely.  For random(4) I don't know - it's likely it
has older random code which isn't affected (at least I seem to recall
it was different)..

> Is it going to be fixed?  I can test patches.  :-)

I and secteam have no plans to fix it, but if someone wants to fix it
in RELENG_4 we don't have any problems with that.

-- 
Simon L. Nielsen
Received on Thu Nov 29 2007 - 20:23:37 UTC