Bug 257861 - archivers/arc: Vulnerable to CVE-2015-9275
Summary: archivers/arc: Vulnerable to CVE-2015-9275
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Xin LI
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-15 13:30 UTC by Bernhard Froehlich
Modified: 2021-08-20 23:37 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (delphij)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bernhard Froehlich freebsd_committer freebsd_triage 2021-08-15 13:30:01 UTC
I just noticed that the port is vulnerable to CVE-2015-9275.

https://nvd.nist.gov/vuln/detail/CVE-2015-9275
Comment 1 Xin LI freebsd_committer freebsd_triage 2021-08-20 23:37:14 UTC
Thanks for the report.  Unfortunately I am too busy to work on this right now and the situation would persist for about 2 weeks or so.

In case someone would want to work on this, please feel free to commit a fix as long as you are confident with it.

My discoveries so far, in case people want to work on it:

1) Debian patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774527

Note that they need to be adapted to FreeBSD port; 

2) Debian have migrated to a different upstream, https://github.com/ani6al/arc which appears to be unmaintained.

The Debian version (5.21q) have some license cleanups, which seems to be authorized by original owner (see https://lists.debian.org/debian-legal/2011/09/msg00018.html ) but I haven't dig into this further.  We probably want to move to this upstream too.

3) There are other unresolved bugs with Debian port:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774439