I don't really like this. The source code only declares statically sized
buffers and makes *no* attempt on bounds checking. I. e. it is not hard
to create fuzzified zoo archives which create exploitable stack
overflows, etc. Also, upstream hasn't updated the program in 6 years. I
guess the fact that .zoo archives aren't popular contributes to the fact
of being dead upstream and not being examined by security analysts.
Do you consider zoo archives important enough to warrant the Recommends:
in clamav? If so, and the MIR should stand, the code needs some serious
overhaul.
Third issue is that zoo archives are
** Changed in: unzoo (Ubuntu)
Status: New => Incomplete
--
MIR report for unzoo
https://bugs.launchpad.net/bugs/261938
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
