Just how bad are the consequences of not promoting this package to main? The code is fairly gross. There's absolute gobs of writing outside array bounds, resource leaks, potential uses of uninitialized variables, etc.
I don't know if there's any security-relevant findings -- busybox is almost always restricted solely to a system administrator who is in trouble and needs tools and can't have the Good Tools for whatever reason, so a lot of the choices sort of make sense. However, there's just a lot of choices that may have made sense thirty years ago that just don't make sense today, and a lot of the choices make it much harder to use Coverity or similar tools to find the real bugs. Actually bringing the entire codebase up to modern standards is not going to be cost-effective (and probably not within the goals of the project). Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1933979 Title: [MIR] busybox package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1933979/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
