Bug 257861

Summary: archivers/arc: Vulnerable to CVE-2015-9275
Product: Ports & Packages Reporter: Bernhard Froehlich <decke>
Component: Individual Port(s)Assignee: Xin LI <delphij>
Status: New ---    
Severity: Affects Only Me CC: decke
Priority: --- Flags: bugzilla: maintainer-feedback? (delphij)
Version: Latest   
Hardware: Any   
OS: Any   
URL: https://nvd.nist.gov/vuln/detail/CVE-2015-9275

Description Bernhard Froehlich freebsd_committer freebsd_triage 2021-08-15 13:30:01 UTC 
I just noticed that the port is vulnerable to CVE-2015-9275.

https://nvd.nist.gov/vuln/detail/CVE-2015-9275
Comment 1 Xin LI freebsd_committer freebsd_triage 2021-08-20 23:37:14 UTC 
Thanks for the report.  Unfortunately I am too busy to work on this right now and the situation would persist for about 2 weeks or so.

In case someone would want to work on this, please feel free to commit a fix as long as you are confident with it.

My discoveries so far, in case people want to work on it:

1) Debian patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774527

Note that they need to be adapted to FreeBSD port; 

2) Debian have migrated to a different upstream, https://github.com/ani6al/arc which appears to be unmaintained.

The Debian version (5.21q) have some license cleanups, which seems to be authorized by original owner (see https://lists.debian.org/debian-legal/2011/09/msg00018.html ) but I haven't dig into this further.  We probably want to move to this upstream too.

3) There are other unresolved bugs with Debian port:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774439