DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 13th August 2016
betweendayandnight betweendayandnight is offline
friendly
 
Join Date: Jul 2015
Posts: 67
Default Does OpenBSD use libarchive sandboxing code?

I came across two URLs:

https://github.com/libarchive/libarchive/issues/743

https://gist.github.com/anonymous/e4...992717e7b89c4f

I wonder if OpenBSD uses the same components as FreeBSD, viz.:

1. portsnap
2. libarchive/bsdtar
3. bspatch

If it does, are the above three components in OpenBSD exposed to the same vulnerabilities as FreeBSD?
Reply With Quote
  #2   (View Single Post)  
Old 13th August 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,586
Default

There is no libarchive in OpenBSD. There's a mention of it in a regression test. Neither portsnap nor bspatch are in the OS either.
Code:
$ find /usr/src -type f -exec grep -l libarchive {} +
/usr/src/regress/usr.bin/mdoclint/mdoclint
$ ls /usr/lib/libarchive*
ls: /usr/lib/libarchive*: No such file or directory
$ which portsnap
which: portsnap: Command not found.
$ which bspatch
which: bspatch: Command not found.
$
Reply With Quote
  #3   (View Single Post)  
Old 13th August 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,586
Default

Posting an update to add that libarchive (which includes bsdtar) is available in the Ports tree. The last update to the port was in June:
Code:
----------------------------
revision 1.32
date: 2016/06/23 20:19:36;  author: naddy;  state: Exp;  lines: +3 -4;  commitid: oKSe3FA0NcH1Tbz8;
Security update to 3.2.1.
This release fixes several critical bugs, including some with security
implications.  (At least CVE-2016-4300, CVE-2016-4301.)
----------------------------
Reply With Quote
  #4   (View Single Post)  
Old 13th August 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,586
Default

And ... I found bspatch, which is included with the bsdiff port. That port has not been updated since 2013, and the application itself has not been revised since 2009.

---

I'll stop here, and let you do your own research from this point forward.
Reply With Quote
  #5   (View Single Post)  
Old 13th August 2016
betweendayandnight betweendayandnight is offline
friendly
 
Join Date: Jul 2015
Posts: 67
Default

Thanks, jggimi, for your detailed answers.

OpenBSD has proved that it is quite resilient against security vulnerabilities that are found in Linux and FreeBSD.

Did you know that an organization under the auspices of the EU recommended OpenBSD as the FOSS of choice where security is of paramount importance?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD OpenBSD has accepted projects from Google Summer of Code 2015 J65nko News 0 30th April 2015 08:49 AM
Google Summer of Code - OpenBSD shep News 9 14th September 2014 07:44 PM
New Open DRM code for OpenBSD shep News 0 22nd March 2013 02:32 AM
*** Error code 1 building OpenBSD 5.1-stable from source comet--berkeley OpenBSD Installation and Upgrading 12 19th May 2012 02:18 AM
Compiling OpenBSD code WeakSauceIII OpenBSD General 4 19th May 2008 12:59 AM


All times are GMT. The time now is 01:57 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick