From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 21:45:06 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5FB2337B404 for ; Wed, 26 Mar 2003 21:45:06 -0800 (PST) Received: from bran.mc.mpls.visi.com (bran.mc.mpls.visi.com [208.42.156.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 968C443FAF for ; Wed, 26 Mar 2003 21:45:05 -0800 (PST) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bran.mc.mpls.visi.com (Postfix) with ESMTP id BCB084B29; Wed, 26 Mar 2003 23:45:04 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id h2R5j4A21786; Wed, 26 Mar 2003 23:45:04 -0600 (CST) (envelope-from hawkeyd) Date: Wed, 26 Mar 2003 23:45:04 -0600 From: D J Hawkey Jr To: Bruce Evans Message-ID: <20030326234503.A21679@sheol.localdomain> References: <20030326061041.A17052@sheol.localdomain> <20030326071637.A17385@sheol.localdomain> <3E81AF6C.3060705@arnes.si> <20030327160638.J1404@gamplex.bde.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030327160638.J1404@gamplex.bde.org>; from bde@zeta.org.au on Thu, Mar 27, 2003 at 04:22:05PM +1100 X-Spam-Status: No, hits=-31.4 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, RCVD_IN_UNCONFIRMED_DSBL,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: security at FreeBSD Subject: Re: what actually uses xdr_mem.c? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2003 05:45:07 -0000 On Mar 27, at 04:22 PM, Bruce Evans wrote: > > On Wed, 26 Mar 2003, Uros Juvan wrote: > > > Idea is cool, but it just won't work on staticaly linked files, you can > > test this with: > > > > # readelf -a /bin/ls > > > > for example :( > > > > I don't think there is 100% way of telling whether staticaly linked file > > is linked against vulnerable xdr_mem.o, especially because obviously > > rcsid string is undefined in source file. > > This isn't so obvious: > > %%% > Script started on Thu Mar 27 16:07:33 2003 > ttyp0:bde@besplex:/tmp> strings -a /bin/ls | grep xdr_mem > $FreeBSD: src/lib/libc/xdr/xdr_mem.c,v 1.11 2002/03/22 21:53:26 obrien Exp $ > ttyp0:bde@besplex:/tmp> exit > > Script done on Thu Mar 27 16:07:44 2003 > %%% > > (strings -a shows a few other interesting strings and lots of bloat.) > > xdr_mem.c has always had some sort of id string, but putting the string > in the object file was broken for many years by putting the rcsid in > the LIBC_SCCS section and then renaming LIBC_SCCS to LIBC_RCS in the > Makefile without adjusting any source files that had ids. This was fixed > relatively recently in -current but is still broken in RELENG_4. OK, I now have to take this a little off-topic, and ask the following: Given that it's improbable, if not nearly impossible, to discover what statically-linked binaries may be involved with any vulnerability, isn't it reasonable to ask if the benefits of statically-linked binaries aren't outweighed by the [security] drawbacks? Granted, a "no static binaries" policy wouldn't cover things outside of any given distribution, but at that point, the vendor is absolved. > Bruce Should this move on over to freebsd-hackers@ ? Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/