(!)WARN: Using cpio instead of pax can be a security risk;

Thread: (!)WARN: Using cpio instead of pax can be a security risk;

Search this list only Search all lists
(!)WARN: Using cpio instead of pax can be a security risk;
	2006-11-29 12:27:04
found this in amavisd.log (i inserted the line breaks for better reading...): ############################################################ ################# (!)WARN: Using cpio instead of pax can be a security risk; please add: $pax='pax'; to amavisd.conf and check that the pax(1) utility is available on the system! (!)do_pax_cpio/1: exit 1 (!)Decoding of p003 (tar archive) failed, leaving it unpacked: do_pax_cpio: exit 1 /usr/bin/cpio: Malformed number 777 n/usr/bin/cpio: Malformed number 376 n/usr/bin/cpio: Malformed number 1 n/usr/bin/cpio: Malformed number 213000 n/usr/bin/cpio: Malformed number 10450757133 n/usr/bin/cpio: Malformed number n/usr/bin/cpio: Malformed number n/usr/bin/cpio: premature end of file at (eval 49) line 1239. ############################################################ ################# why can using cpio be a security risk? (i'm using "cpio (GNU cpio) 2.7") and, if so, which pax version is advisable to choose? im confused about the current state of tar/pax/cpio merging code or not... the heirloom toolchest contains pax, cpio and tar - so do the GNU paxutils (although i don't find an actual download on savannah.gnu.org - just CVS). which is best to choose? thanks MK ------------------------------------------------------------ ------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default. php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ AMaViS-user mailing list AMaViS-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/ho wto/

(!)WARN: Using cpio instead of pax can be a security risk;
	2006-11-29 23:49:57
MK wrote: > found this in amavisd.log (i inserted the line breaks for better reading...): > ############################################################ ################# > (!)WARN: Using cpio instead of pax can be a security risk; > please add: $pax='pax'; to amavisd.conf and check that the pax(1) utility > is available on the system! > (!)do_pax_cpio/1: exit 1 > (!)Decoding of p003 (tar archive) failed, leaving it unpacked: > do_pax_cpio: exit 1 /usr/bin/cpio: Malformed number 777 > n/usr/bin/cpio: Malformed number 376 > n/usr/bin/cpio: Malformed number 1 > n/usr/bin/cpio: Malformed number 213000 > n/usr/bin/cpio: Malformed number 10450757133 > n/usr/bin/cpio: Malformed number > n/usr/bin/cpio: Malformed number > n/usr/bin/cpio: premature end of file at (eval 49) line 1239. > ############################################################ ################# > why can using cpio be a security risk? (i'm using "cpio (GNU cpio) 2.7") > and, if so, which pax version is advisable to choose? > im confused about the current state of tar/pax/cpio merging code or not... > the heirloom toolchest contains pax, cpio and tar - so do the GNU paxutils > (although i don't find an actual download on savannah.gnu.org - just CVS). > which is best to choose? > thanks > MK I personally have no real answers for you on this, but doesn't your distro have 'pax' available where you could simply install the pax package/port/whatever? Gary V ------------------------------------------------------------ ------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default. php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ AMaViS-user mailing list AMaViS-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/ho wto/

(!)WARN: Using cpio instead of pax can be a security risk;
	2006-11-30 00:54:52
> why can using cpio be a security risk? (i'm using "cpio (GNU cpio) 2.7") cpio can be tricked to decode multiple archive components into the same file, overwriting previous contents, which could help in camouflaging a virus. pax has options which can reduce the problem to large extent (including some other implications of the same), although it still is not perfect for the job. tar is very much nonstandard and limited in formats it supports compared to pax. > if so, which pax version is advisable to choose? If your OS comes with it, it should do (unless it is ancient). Otherwise compile it from source, or use a heirloom version, which is quite good. Mark ------------------------------------------------------------ ------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default. php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ AMaViS-user mailing list AMaViS-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/ho wto/

(!)WARN: Using cpio instead of pax can be a security risk;
	2006-11-30 08:23:01
At 00:49 30.11.2006, you wrote: >I personally have no real answers for you on this, but doesn't your >distro have 'pax' available where you could simply install the pax >package/port/whatever? no distro - it's linux from scratch... >Gary V > > >-------------------------------------------------------- ----------------- >Take Surveys. Earn Cash. Influence the Future of IT >Join SourceForge.net's Techsay panel and you'll get the chance to share your >opinions on IT & business topics through brief surveys - and earn cash >http://www.techsay.com/default. php?page=join.php&p=sourceforge&CID=DEVDEV >_______________________________________________ >AMaViS-user mailing list >AMaViS-userlists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/amavis-user >AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 >AMaViS-HowTos:http://www.amavis.org/ho wto/ ------------------------------------------------------------ ------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default. php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ AMaViS-user mailing list AMaViS-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/ho wto/

[1-4]

about | contact Other archives ( Real Estate discussion Medical topics )