From owner-freebsd-hackers@FreeBSD.ORG Fri Oct 13 13:19:00 2006 Return-Path: X-Original-To: hackers@freebsd.org Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D041016A407 for ; Fri, 13 Oct 2006 13:19:00 +0000 (UTC) (envelope-from infofarmer@gmail.com) Received: from qb-out-0506.google.com (qb-out-0506.google.com [72.14.204.237]) by mx1.FreeBSD.org (Postfix) with ESMTP id D07F343D91 for ; Fri, 13 Oct 2006 13:18:58 +0000 (GMT) (envelope-from infofarmer@gmail.com) Received: by qb-out-0506.google.com with SMTP id a10so170214qbd for ; Fri, 13 Oct 2006 06:18:58 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=S8ZpkBDONT6/U7pwmxcRrhAzTmtjSAnULhgO3l5AmleFOpc5bHbXm4uxlpjUQN+M3CedAnsFqm+rFD6Z5bQSYB1CVVom6nkVkAztY7906yiCOXzEdIf4wR7rvwS6VZjFd76h7M4qLOVKlyw4O7lOrYHVYucOJGVQZOjZkz3QKFA= Received: by 10.35.48.15 with SMTP id a15mr5666377pyk; Fri, 13 Oct 2006 06:18:57 -0700 (PDT) Received: by 10.35.105.10 with HTTP; Fri, 13 Oct 2006 06:18:57 -0700 (PDT) Message-ID: Date: Fri, 13 Oct 2006 17:18:57 +0400 From: "Andrew Pantyukhin" Sender: infofarmer@gmail.com To: "Kris Kennaway" In-Reply-To: <20061006215902.GA21109@xor.obsecurity.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20061006215902.GA21109@xor.obsecurity.org> X-Google-Sender-Auth: 464479b0a0b3f02a Cc: hackers@freebsd.org, secteam@freebsd.org Subject: Re: Tracing binaries statically linked against vulnerable libs X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Oct 2006 13:19:00 -0000 On 10/7/06, Kris Kennaway wrote: > On Fri, Oct 06, 2006 at 09:35:31AM +0400, Andrew Pantyukhin wrote: > > I wonder if there is a way to deal with statically linked binaries, > > which use vulnerable libraries. > > The best way is to track them down and force them all to link > dynamically; static linking is a PITA from a systems management point > of view :) Do you think we could do that without a serious impact on performance? I know Gentoo has this Prelink feature (http://www.gentoo.org/doc/en/prelink-howto.xml) which helps with performance, but looks like a hack. Anyway, maybe portmgr could issue some kind of a policy about this. I.e. (1) use {build,run}_depends instead of lib_ when you depend on a port providing both shared and static libraries, but link statically; (2) make an effort to encourage dynamic linking - try to provide only shared libs in new ports, remove unused static ones from old ones, and so on. The only secure way to deal with it now is to mark all ports that depend on a vulnerable one, also vulnerable - and then try to figure out which of them are indeed safe. Of course, this will result in half of the tree being marked vulnerable most of the time :-( Thanks!