From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Ju7Bs-00028W-NQ for garchives@archives.gentoo.org; Thu, 08 May 2008 14:33:48 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DF55AE058C; Thu, 8 May 2008 14:33:45 +0000 (UTC) Received: from mail.goodpoint.de (tori.goodpoint.de [85.10.203.41]) by pigeon.gentoo.org (Postfix) with ESMTP id B5A1CE058C for ; Thu, 8 May 2008 14:33:45 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: rbu) by mail.goodpoint.de (Postfix) with ESMTP id C093B10400F; Thu, 8 May 2008 16:33:44 +0200 (CEST) From: Robert Buchholz To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Re: RFC: lzma tarball usage Date: Thu, 8 May 2008 16:33:48 +0200 User-Agent: KMail/1.9.7 Cc: Doug Goldstein References: <1210166592.19574.10.camel@localhost> <482300F2.9030403@gentoo.org> <4823031D.7050303@gentoo.org> In-Reply-To: <4823031D.7050303@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Message-Id: <200805081633.49559.rbu@gentoo.org> Content-Type: multipart/signed; boundary="nextPart1345783.fxL9ERVlmy"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit X-Archives-Salt: 0bc8ea68-6602-448d-afff-36c5bed40e24 X-Archives-Hash: ad130aa4459c0a30e8209c90a5b7e433 --nextPart1345783.fxL9ERVlmy Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 08 May 2008, Doug Goldstein wrote: > Additionally to follow myself up, I believe one of the security > issues was execution of arbitrary data either when untarred or just > decompressed (assuming a =A0specially crafted lzma file). Can you please point me to the location where this is mentioned. I read=20 through the lzma git log, and I all I could find was data corruption=20 (which usually is not a security issue) and the mention of the=20 word "security" inside the announcement. Thanks, Robert --nextPart1345783.fxL9ERVlmy Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEABECAAYFAkgjD00ACgkQyZx3L/ph1spk9wCgmsYqju+O98bImmfuI4hYnnv8 VpgAoPMt/+dRZ1ryo6+9I90WEDJl7g7q =ck79 -----END PGP SIGNATURE----- --nextPart1345783.fxL9ERVlmy-- -- gentoo-dev@lists.gentoo.org mailing list