From owner-cvs-all@FreeBSD.ORG  Thu Nov 29 20:23:37 2007
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BC13F16A418;
	Thu, 29 Nov 2007 20:23:37 +0000 (UTC)
	(envelope-from simon@zaphod.nitro.dk)
Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38])
	by mx1.freebsd.org (Postfix) with ESMTP id 6D41613C45A;
	Thu, 29 Nov 2007 20:23:36 +0000 (UTC)
	(envelope-from simon@zaphod.nitro.dk)
Received: from zaphod.nitro.dk (unknown [192.168.3.39])
	by mx.nitro.dk (Postfix) with ESMTP id 0F51B2DD3F0;
	Thu, 29 Nov 2007 20:23:36 +0000 (UTC)
Received: by zaphod.nitro.dk (Postfix, from userid 3000)
	id D599B1149D; Thu, 29 Nov 2007 21:23:35 +0100 (CET)
Date: Thu, 29 Nov 2007 21:23:35 +0100
From: "Simon L. Nielsen" <simon@FreeBSD.org>
To: Alexey Dokuchaev <danfe@FreeBSD.org>
Message-ID: <20071129202334.GA1160@zaphod.nitro.dk>
References: <200711291608.lATG8s7Q067912@repoman.freebsd.org>
	<20071129180038.GA598@FreeBSD.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20071129180038.GA598@FreeBSD.org>
User-Agent: Mutt/1.5.16 (2007-06-09)
Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/contrib/tar/src misc.c src/sys/dev/random
	yarrow.c
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Nov 2007 20:23:37 -0000

On 2007.11.29 18:00:38 +0000, Alexey Dokuchaev wrote:
> On Thu, Nov 29, 2007 at 04:08:54PM +0000, Simon L. Nielsen wrote:
> > simon       2007-11-29 16:08:54 UTC
> > 
> >   FreeBSD src repository
> > 
> >   Modified files:        (Branch: RELENG_5)
> >     contrib/tar/src      misc.c 
> >     sys/dev/random       yarrow.c 
> >   Log:
> >   Correct a random value disclosure in random(4). [07:09]
> >   
> >   Correct a gtar directory traversal vulnerability. [07:10]
> >   
> >   Security:       FreeBSD-SA-07:09.random
> >   Security:       FreeBSD-SA-07:10.gtar
> 
> Is 4.x vulnerable?

For gtar, very likely.  For random(4) I don't know - it's likely it
has older random code which isn't affected (at least I seem to recall
it was different)..

> Is it going to be fixed?  I can test patches.  :-)

I and secteam have no plans to fix it, but if someone wants to fix it
in RELENG_4 we don't have any problems with that.

-- 
Simon L. Nielsen