Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 6 Oct 2006 15:42:19 +0200 (CEST)
From:      "Remko Lodder" <remko@elvandar.org>
To:        "Andrew Pantyukhin" <infofarmer@FreeBSD.org>
Cc:        hackers@freebsd.org, secteam@freebsd.org
Subject:   Re: Tracing binaries statically linked against vulnerable libs
Message-ID:  <22593.194.74.82.3.1160142139.squirrel@webmail.evilcoder.org>
In-Reply-To: <cb5206420610052235t78033639vaa90429f07581078@mail.gmail.com>
References:  <cb5206420610052235t78033639vaa90429f07581078@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hello,

The thing I would do with known applications that are linked statically
to a vulnerable version of ${Application} is bumping the version of the
port.

Why do i do that? If ffmpeg in this case is being updated and the
PORTREVISION of gstreamer as well, people get informed that they should
update, I would also mark it vulnerable (the version with the lower
PORTREVISION) so that people are "forced" to reinstall the application
which causes the link to reoccur with hopefully the fixed version.

We did that with xpdf as well as far as i can recall. and yes that was
like hell, but it has to be done to protect our user base.

Does this give enough hands and feeds to help you?

Cheers,
remko
-- 
Kind regards,

   Remko Lodder  ** remko@elvandar.org
        FreeBSD  ** remko@FreeBSD.org

   /* Quis Custodiet ipsos custodes */


<quote who="Andrew Pantyukhin">
> I wonder if there is a way to deal with statically linked binaries,
> which use vulnerable libraries.
>
> There's this advisory:
> http://www.vuxml.org/freebsd/964161cd-6715-11da-99f6-00123ffe8333.html
>
> But mplayer and libxine are linked statically against ffmpeg,
> as are reportedly many other apps like gstreamer. Of course
> I can install every port that requires ffmpeg directly, look for
> "lavc" strings and compare it to ldd output, but it sounds like
> a nightmare.
>
> Thanks!
> _______________________________________________________
> Please think twice when forwarding, cc:ing, or bcc:ing
> security-team messages.  Ask if you are unsure.
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?22593.194.74.82.3.1160142139.squirrel>