Announcement

Collapse
No announcement yet.

FreeBSD 12.3 Released With Updated AMD & Networking Hardware, Password Protected ZIPs

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • FreeBSD 12.3 Released With Updated AMD & Networking Hardware, Password Protected ZIPs

    Phoronix: FreeBSD 12.3 Released With Updated AMD & Networking Hardware, Password Protected ZIPs

    While FreeBSD 13 is the current stable version of this leading open-source BSD operating system, FreeBSD 12.3 shipped today for their N-1 series...

    https://www.phoronix.com/scan.php?pa...x=FreeBSD-12.3

  • #2
    Oh yeah, they maintain their own unzip utility right? That's pretty cool.

    What Linux distros are using is an ancient, unmaintained version (2009) with a bunch of distro patches on top. I think I also remember a couple of security vulnerabilities being present in it, but don't quote me on that.

    EDIT: It seems they are using NetBSD's utility and are often syncing with it (https://github.com/freebsd/freebsd-s.../unzip/unzip.c).

    EDIT2: Freebsd's version is 1133 lines while the one used by Arch is 82057 lines

    Counted with:
    find -type f -name '*.[ch]' -exec cat {} + | grep -c '^'
    Last edited by kvuj; 08 December 2021, 12:05 AM.

    Comment


    • #3
      This seems to be a little strange. Maybe the BSD version has more dependencies than the linux version?
      On the contrary, ZIP ain't that complex and might well be doable with 1000 lines of C code. Maybe the linux version is faster or uses less memory?

      Comment


      • #4
        You could have used tokei

        Comment


        • #5
          Password protected zip files do not encrypt the file names, which can leak information, and when I last looked, did not have integrity checking of the list of filenames in the archive, so it is possible for a malicious actor to replace an encrypted file in the archive with non-encrypted file of the same name. A workaround is to put your files in a non-encrypted zip archive, then put the single file that is the zip archive into an encrypted zip archive (double zipping).

          https://security.stackexchange.com/q...p-files-secure

          Alternatively 7-zip allows for encrypted archives/containers which are encrypted such that the list of files is encrypted, so you have to provide the password/passphrase to open the archive/container to get a listing of the files in the archive/container.

          https://www.redhat.com/sysadmin/encr...ecrypting-7zip

          Comment


          • #6
            Originally posted by Old Grouch View Post
            Password protected zip files do not encrypt the file names, which can leak information, and when I last looked, did not have integrity checking of the list of filenames in the archive, so it is possible for a malicious actor to replace an encrypted file in the archive with non-encrypted file of the same name. A workaround is to put your files in a non-encrypted zip archive, then put the single file that is the zip archive into an encrypted zip archive (double zipping).
            Back in the day I remember pirates using that exploit by putting the password in the archive as a file name.
            1. game.exe
            2. game.dll
            3. Password is "12345678".txt

            Comment


            • #7
              Originally posted by Anux View Post
              This seems to be a little strange. Maybe the BSD version has more dependencies than the linux version?
              On the contrary, ZIP ain't that complex and might well be doable with 1000 lines of C code. Maybe the linux version is faster or uses less memory?
              The one on Arch is crossplatform and has been around since the DOS era. I imagine if the FreeBSD one had decades of crossplatform complexity it'd be a bit larger.

              Comment


              • #8
                FreeBSD used to be my most favorite Unix, until I started reading more and more about its security and now I'm not so sure it is the best. FreeBSD doesn't have ASLR by default nor position independent executables. There is hardened BSD but it has a bus factor of 2 meaning there are two developers and if they get hit by a bus or decide to quit then the project is done. I really like OpenBSD for security but it is lacking in areas like a working linux emulator or virtualization like FreeBSD. FreeBSD 14 should have more security features enabled by default but we have just barely started on 13.x series so 14.0 is a long time away.

                Comment


                • #9
                  Originally posted by skeevy420 View Post

                  The one on Arch is crossplatform and has been around since the DOS era. I imagine if the FreeBSD one had decades of crossplatform complexity it'd be a bit larger.
                  But still 79000 LOC just for crossplatform? Do they have a seperate assembly implementation for every CPU-variation out there? C alone is already cross platform and since its a CLI there shouldn't be to much difference for any *nix platform. That would leave DOS/Windows CLI which also shouldn't need that much code.

                  Guess i'll have a look at the code on the weekend. Really interested in why.

                  Comment


                  • #10
                    Originally posted by Anux View Post

                    But still 79000 LOC just for crossplatform? Do they have a seperate assembly implementation for every CPU-variation out there? C alone is already cross platform and since its a CLI there shouldn't be to much difference for any *nix platform. That would leave DOS/Windows CLI which also shouldn't need that much code.

                    Guess i'll have a look at the code on the weekend. Really interested in why.
                    To be fair, most of those lines seems to come from specific OS folders (Atari, AmigaOS, BeOS, theos, etc.)

                    Comment

                    Working...
                    X