[Pkg-clamav-devel] unzoo as recommends
Scott Kitterman
debian at kitterman.com
Wed Sep 3 10:19:25 UTC 2008
Currently (as of 0.93.3) we have unzoo in recommends. I think that's
excessive as zoo archives are at best rare.
Additionally, with recommends installed by default, I don't think that unzoo
is in such a state that we want to inflict it on users by default. Martin
Pitt (pitti) just did a review of it in Ubuntu for one of our internal
processes and concluded:
"The source code only declares statically sized buffers and makes *no* attempt
on bounds checking. I. e. it is not hard to create fuzzified zoo archives
which create exploitable stack overflows, etc. Also, upstream hasn't updated
the program in 6 years. I guess the fact that .zoo archives aren't popular
contributes to the fact of being dead upstream and not being examined by
security analysts."
The discussion was in Ubuntu bug 261938 on the off chance anyone is deeply
interested:
https://bugs.launchpad.net/bugs/261938
I think this is clear cut enough I'd do it in the repo myself if my Git foo
were better and I didn't know that an upload was imminent.
Scott K
More information about the Pkg-clamav-devel
mailing list