From owner-freebsd-hackers@FreeBSD.ORG Fri Oct 6 13:42:21 2006 Return-Path: X-Original-To: hackers@freebsd.org Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C39C16A417; Fri, 6 Oct 2006 13:42:21 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from caelis.elvandar.org (caelis.elvandar.org [217.148.169.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id 98C7143D49; Fri, 6 Oct 2006 13:42:20 +0000 (GMT) (envelope-from remko@elvandar.org) Received: from localhost (caelis.elvandar.org [217.148.169.59]) by caelis.elvandar.org (Postfix) with ESMTP id ED72392FE25; Fri, 6 Oct 2006 15:42:19 +0200 (CEST) Received: from caelis.elvandar.org ([217.148.169.59]) by localhost (caelis.elvandar.org [217.148.169.59]) (amavisd-new, port 10024) with ESMTP id 88141-06; Fri, 6 Oct 2006 15:42:19 +0200 (CEST) Received: from webmail.evilcoder.org (dartagnan.elvandar.intranet [10.0.3.122]) by caelis.elvandar.org (Postfix) with ESMTP id 9580292FE23; Fri, 6 Oct 2006 15:42:19 +0200 (CEST) Message-ID: <22593.194.74.82.3.1160142139.squirrel@webmail.evilcoder.org> In-Reply-To: References: Date: Fri, 6 Oct 2006 15:42:19 +0200 (CEST) From: "Remko Lodder" To: "Andrew Pantyukhin" User-Agent: SquirrelMail/1.4.8 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: by the elvandar.org maildomain Cc: hackers@freebsd.org, secteam@freebsd.org Subject: Re: Tracing binaries statically linked against vulnerable libs X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Oct 2006 13:42:21 -0000 Hello, The thing I would do with known applications that are linked statically to a vulnerable version of ${Application} is bumping the version of the port. Why do i do that? If ffmpeg in this case is being updated and the PORTREVISION of gstreamer as well, people get informed that they should update, I would also mark it vulnerable (the version with the lower PORTREVISION) so that people are "forced" to reinstall the application which causes the link to reoccur with hopefully the fixed version. We did that with xpdf as well as far as i can recall. and yes that was like hell, but it has to be done to protect our user base. Does this give enough hands and feeds to help you? Cheers, remko -- Kind regards, Remko Lodder ** remko@elvandar.org FreeBSD ** remko@FreeBSD.org /* Quis Custodiet ipsos custodes */ > I wonder if there is a way to deal with statically linked binaries, > which use vulnerable libraries. > > There's this advisory: > http://www.vuxml.org/freebsd/964161cd-6715-11da-99f6-00123ffe8333.html > > But mplayer and libxine are linked statically against ffmpeg, > as are reportedly many other apps like gstreamer. Of course > I can install every port that requires ffmpeg directly, look for > "lavc" strings and compare it to ldd output, but it sounds like > a nightmare. > > Thanks! > _______________________________________________________ > Please think twice when forwarding, cc:ing, or bcc:ing > security-team messages. Ask if you are unsure. >