Tracing binaries statically linked against vulnerable libs
Andrew Pantyukhin
infofarmer at FreeBSD.org
Fri Oct 13 06:19:00 PDT 2006
On 10/7/06, Kris Kennaway <kris at obsecurity.org> wrote:
> On Fri, Oct 06, 2006 at 09:35:31AM +0400, Andrew Pantyukhin wrote:
> > I wonder if there is a way to deal with statically linked binaries,
> > which use vulnerable libraries.
>
> The best way is to track them down and force them all to link
> dynamically; static linking is a PITA from a systems management point
> of view :)
Do you think we could do that without a serious impact on
performance? I know Gentoo has this Prelink feature
(http://www.gentoo.org/doc/en/prelink-howto.xml) which
helps with performance, but looks like a hack.
Anyway, maybe portmgr could issue some kind of a policy
about this. I.e. (1) use {build,run}_depends instead of lib_
when you depend on a port providing both shared and
static libraries, but link statically; (2) make an effort to
encourage dynamic linking - try to provide only shared
libs in new ports, remove unused static ones from old
ones, and so on.
The only secure way to deal with it now is to mark all
ports that depend on a vulnerable one, also vulnerable -
and then try to figure out which of them are indeed safe.
Of course, this will result in half of the tree being marked
vulnerable most of the time :-(
Thanks!
More information about the freebsd-hackers
mailing list