Conversation
buherator
buherator
Finally a sane discussion about that safe_fprintf() -> fprintf() patch in libarchive:
https://www.openwall.com/lists/oss-security/2024/04/03/17
As far as I can tell the only known vector so far is messing with terminal escape sequences which are of questionable utility, but the patch may be part of some more complex scheme. Maybe the plot was to first fall back to vanilla fprintf(), then remove the format string parameter ina later patch (which didn't happen)?
https://www.openwall.com/lists/oss-security/2024/04/03/17
As far as I can tell the only known vector so far is messing with terminal escape sequences which are of questionable utility, but the patch may be part of some more complex scheme. Maybe the plot was to first fall back to vanilla fprintf(), then remove the format string parameter ina later patch (which didn't happen)?
1
3
7