Tracing binaries statically linked against vulnerable libs
Remko Lodder
remko at elvandar.org
Fri Oct 6 06:42:21 PDT 2006
Hello,
The thing I would do with known applications that are linked statically
to a vulnerable version of ${Application} is bumping the version of the
port.
Why do i do that? If ffmpeg in this case is being updated and the
PORTREVISION of gstreamer as well, people get informed that they should
update, I would also mark it vulnerable (the version with the lower
PORTREVISION) so that people are "forced" to reinstall the application
which causes the link to reoccur with hopefully the fixed version.
We did that with xpdf as well as far as i can recall. and yes that was
like hell, but it has to be done to protect our user base.
Does this give enough hands and feeds to help you?
Cheers,
remko
--
Kind regards,
Remko Lodder ** remko at elvandar.org
FreeBSD ** remko at FreeBSD.org
/* Quis Custodiet ipsos custodes */
<quote who="Andrew Pantyukhin">
> I wonder if there is a way to deal with statically linked binaries,
> which use vulnerable libraries.
>
> There's this advisory:
> http://www.vuxml.org/freebsd/964161cd-6715-11da-99f6-00123ffe8333.html
>
> But mplayer and libxine are linked statically against ffmpeg,
> as are reportedly many other apps like gstreamer. Of course
> I can install every port that requires ffmpeg directly, look for
> "lavc" strings and compare it to ldd output, but it sounds like
> a nightmare.
>
> Thanks!
> _______________________________________________________
> Please think twice when forwarding, cc:ing, or bcc:ing
> security-team messages. Ask if you are unsure.
>
More information about the freebsd-hackers
mailing list