Date: Wed, 26 Mar 2003 23:45:04 -0600 From: D J Hawkey Jr <hawkeyd@visi.com> To: Bruce Evans <bde@zeta.org.au> Cc: security at FreeBSD <freebsd-security@freebsd.org> Subject: Re: what actually uses xdr_mem.c? Message-ID: <20030326234503.A21679@sheol.localdomain> In-Reply-To: <20030327160638.J1404@gamplex.bde.org>; from bde@zeta.org.au on Thu, Mar 27, 2003 at 04:22:05PM %2B1100 References: <Pine.LNX.4.43.0303252144400.21019-100000@pilchuck.reedmedia.net> <20030326061041.A17052@sheol.localdomain> <20030326071637.A17385@sheol.localdomain> <3E81AF6C.3060705@arnes.si> <20030327160638.J1404@gamplex.bde.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mar 27, at 04:22 PM, Bruce Evans wrote:
>
> On Wed, 26 Mar 2003, Uros Juvan wrote:
>
> > Idea is cool, but it just won't work on staticaly linked files, you can
> > test this with:
> >
> > # readelf -a /bin/ls
> >
> > for example :(
> >
> > I don't think there is 100% way of telling whether staticaly linked file
> > is linked against vulnerable xdr_mem.o, especially because obviously
> > rcsid string is undefined in source file.
>
> This isn't so obvious:
>
> %%%
> Script started on Thu Mar 27 16:07:33 2003
> ttyp0:bde@besplex:/tmp> strings -a /bin/ls | grep xdr_mem
> $FreeBSD: src/lib/libc/xdr/xdr_mem.c,v 1.11 2002/03/22 21:53:26 obrien Exp $
> ttyp0:bde@besplex:/tmp> exit
>
> Script done on Thu Mar 27 16:07:44 2003
> %%%
>
> (strings -a shows a few other interesting strings and lots of bloat.)
>
> xdr_mem.c has always had some sort of id string, but putting the string
> in the object file was broken for many years by putting the rcsid in
> the LIBC_SCCS section and then renaming LIBC_SCCS to LIBC_RCS in the
> Makefile without adjusting any source files that had ids. This was fixed
> relatively recently in -current but is still broken in RELENG_4.
OK, I now have to take this a little off-topic, and ask the following:
Given that it's improbable, if not nearly impossible, to discover what
statically-linked binaries may be involved with any vulnerability, isn't
it reasonable to ask if the benefits of statically-linked binaries aren't
outweighed by the [security] drawbacks?
Granted, a "no static binaries" policy wouldn't cover things outside of
any given distribution, but at that point, the vendor is absolved.
> Bruce
Should this move on over to freebsd-hackers@ ?
Dave
--
______________________ ______________________
\__________________ \ D. J. HAWKEY JR. / __________________/
\________________/\ hawkeyd@visi.com /\________________/
http://www.visi.com/~hawkeyd/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030326234503.A21679>