MidnightBSD Developer Journal

Several vulnerabilities have been found in archivers/lha. These are similar to the gzip issues found a few months back. MidnightBSD was the first to get an update into ports as OpenBSD, NetBSD's pkgsrc and FreeBSD do not have an update in cvs. Several of the linux distros beat us to it, however.

In the process, I've switched the port over to a maintained version. The original had not been updated since 2000 and had port specific patches up to two years ago. OpenBSD is using this version as well although they haven't updated to p1.

The port was a bit rushed so please report any problems with it.

OpenLDAP was updated to 2.3.30 to work around some potential security issues. OpenLDAP-sasl-client was added to mports as well.

msdosfs was patched to handle dates correctly.

Teemu Salmela has reported a security issue in GNU tar, which can be
exploited by malicious people to overwrite arbitrary files.

The security issue is caused due to the "extract_archive()" function
in extract.c and the "extract_mangle()" function in mangle.c still
processing the deprecated "GNUTYPE_NAMES" record type containing
symbolic links. This can be exploited to overwrite arbitrary files by
e.g. tricking a user into unpacking a specially crafted tar file.

The security issue is reported in version 1.15.1 and 1.16. Other
versions may also be affected.


---

MidnightBSD mports included 1.15.1 which is vulnerable.