Re: [AMaViS-user] (!)WARN: Using cpio instead of pax can be a security risk;
At 00:49 30.11.2006, you wrote: I personally have no real answers for you on this, but doesn't your distro have 'pax' available where you could simply install the pax package/port/whatever? no distro - it's linux from scratch... Gary V - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/ - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] (!)WARN: Using cpio instead of pax can be a security risk;
At 01:54 30.11.2006, you wrote: why can using cpio be a security risk? (i'm using cpio (GNU cpio) 2.7) cpio can be tricked to decode multiple archive components into the same file, overwriting previous contents, which could help in camouflaging a virus. thank you for explaining it. pax has options which can reduce the problem to large extent (including some other implications of the same), although it still is not perfect for the job. tar is very much nonstandard and limited in formats it supports compared to pax. if so, which pax version is advisable to choose? If your OS comes with it, it should do (unless it is ancient). Otherwise compile it from source, or use a heirloom version, which is quite good. i wasnt able to find the latest GNU paxutilsthe gnu/savannah pages are confusing me... so i'll take heirloom pax thank you again, Mark! MK - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] (!)WARN: Using cpio instead of pax can be a security risk;
MK wrote: found this in amavisd.log (i inserted the line breaks for better reading...): # (!)WARN: Using cpio instead of pax can be a security risk; please add: $pax='pax'; to amavisd.conf and check that the pax(1) utility is available on the system! (!)do_pax_cpio/1: exit 1 (!)Decoding of p003 (tar archive) failed, leaving it unpacked: do_pax_cpio: exit 1 /usr/bin/cpio: Malformed number777 \n/usr/bin/cpio: Malformed number376 \n/usr/bin/cpio: Malformed number 1 \n/usr/bin/cpio: Malformed number 213000 \n/usr/bin/cpio: Malformed number 10450757133 \n/usr/bin/cpio: Malformed number \n/usr/bin/cpio: Malformed number \n/usr/bin/cpio: premature end of file at (eval 49) line 1239. # why can using cpio be a security risk? (i'm using cpio (GNU cpio) 2.7) and, if so, which pax version is advisable to choose? im confused about the current state of tar/pax/cpio merging code or not... the heirloom toolchest contains pax, cpio and tar - so do the GNU paxutils (although i don't find an actual download on savannah.gnu.org - just CVS). which is best to choose? thanks MK I personally have no real answers for you on this, but doesn't your distro have 'pax' available where you could simply install the pax package/port/whatever? Gary V - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] (!)WARN: Using cpio instead of pax can be a security risk;
why can using cpio be a security risk? (i'm using cpio (GNU cpio) 2.7) cpio can be tricked to decode multiple archive components into the same file, overwriting previous contents, which could help in camouflaging a virus. pax has options which can reduce the problem to large extent (including some other implications of the same), although it still is not perfect for the job. tar is very much nonstandard and limited in formats it supports compared to pax. if so, which pax version is advisable to choose? If your OS comes with it, it should do (unless it is ancient). Otherwise compile it from source, or use a heirloom version, which is quite good. Mark - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] (!)WARN: Using cpio instead of pax can be a security risk;
tar is very much nonstandard and limited in formats ... ...nonstandard across platforms that is, each Unix variant has quite a different tar, while pax is pretty much the same everywhere. Mark - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/