Conversation
Notices
-
Embed this notice
buherator (buherator@infosec.place)'s status on Friday, 05-Apr-2024 16:59:11 JST buherator Finally a sane discussion about that safe_fprintf() -> fprintf() patch in libarchive:
https://www.openwall.com/lists/oss-security/2024/04/03/17
As far as I can tell the only known vector so far is messing with terminal escape sequences which are of questionable utility, but the patch may be part of some more complex scheme. Maybe the plot was to first fall back to vanilla fprintf(), then remove the format string parameter ina later patch (which didn't happen)?- clacke likes this.