From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 23:01:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24AEC37B404 for ; Wed, 26 Mar 2003 23:01:24 -0800 (PST) Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 890EA43F85 for ; Wed, 26 Mar 2003 23:01:22 -0800 (PST) (envelope-from bde@zeta.org.au) Received: from katana.zip.com.au (katana.zip.com.au [61.8.7.246]) by mailman.zeta.org.au (8.9.3/8.8.7) with ESMTP id SAA09001; Thu, 27 Mar 2003 18:01:12 +1100 Date: Thu, 27 Mar 2003 18:01:11 +1100 (EST) From: Bruce Evans X-X-Sender: bde@gamplex.bde.org To: D J Hawkey Jr In-Reply-To: <20030326234503.A21679@sheol.localdomain> Message-ID: <20030327174923.P1825@gamplex.bde.org> References: <20030326071637.A17385@sheol.localdomain> <3E81AF6C.3060705@arnes.si> <20030327160638.J1404@gamplex.bde.org> <20030326234503.A21679@sheol.localdomain> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Status: No, hits=-26.1 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES, REPLY_WITH_QUOTES autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: security at FreeBSD Subject: Re: what actually uses xdr_mem.c? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2003 07:01:25 -0000 On Wed, 26 Mar 2003, D J Hawkey Jr wrote: > On Mar 27, at 04:22 PM, Bruce Evans wrote: > > > > On Wed, 26 Mar 2003, Uros Juvan wrote: > > > > > Idea is cool, but it just won't work on staticaly linked files, you can > > > test this with: > > > > > > # readelf -a /bin/ls > > > > > > for example :( > > ... > > This isn't so obvious: > > > > %%% > > Script started on Thu Mar 27 16:07:33 2003 > > ttyp0:bde@besplex:/tmp> strings -a /bin/ls | grep xdr_mem > > $FreeBSD: src/lib/libc/xdr/xdr_mem.c,v 1.11 2002/03/22 21:53:26 obrien Exp $ > > ttyp0:bde@besplex:/tmp> exit > > > > Script done on Thu Mar 27 16:07:44 2003 > > %%% > > ... > > OK, I now have to take this a little off-topic, and ask the following: > > Given that it's improbable, if not nearly impossible, to discover what > statically-linked binaries may be involved with any vulnerability, isn't This isn't given. It is very easy to see xdr_mem.c in static binaries in -current (see above). If there were no id string, then is still easy to see what is in static binaries if you don't strip them. I install them stripped but keep the originals in /usr/obj. > it reasonable to ask if the benefits of statically-linked binaries aren't > outweighed by the [security] drawbacks? The only security drawbacks with statically-linked binaries are that you can't fix security bugs for multiple programs by installing 1 new library. This is also a security drawforward - installing 1 new library with a security bug gives security bugs in multiple programs. Bruce