From owner-freebsd-hackers@FreeBSD.ORG Sat Oct 14 12:11:59 2006 Return-Path: X-Original-To: hackers@freebsd.org Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D3C8416A40F for ; Sat, 14 Oct 2006 12:11:59 +0000 (UTC) (envelope-from buhnux@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED5E143D67 for ; Sat, 14 Oct 2006 12:11:57 +0000 (GMT) (envelope-from buhnux@gmail.com) Received: by nf-out-0910.google.com with SMTP id c31so1739597nfb for ; Sat, 14 Oct 2006 05:11:56 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=Wz7YFjbhw4vAmXwP0o4irHZXk5DRzCfAxlNOrLeKQmgbaIEoZPQ2k4rYVPJkdCKHUG3NgG+vY69MNsH17NqsPQB0Xny5OJssbnMm58TEXt4KoKHKXbKEfv+nmlWfYkV8FfOHGAnsU446nCTey/2dGASzyqBpVxA2MVUMKgVrKVw= Received: by 10.78.94.37 with SMTP id r37mr5078207hub; Sat, 14 Oct 2006 05:11:56 -0700 (PDT) Received: by 10.78.183.3 with HTTP; Sat, 14 Oct 2006 05:11:56 -0700 (PDT) Message-ID: Date: Sat, 14 Oct 2006 08:11:56 -0400 From: "Michael Johnson" Sender: buhnux@gmail.com To: "Kris Kennaway" In-Reply-To: <20061014003238.GA6341@xor.obsecurity.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20061006215902.GA21109@xor.obsecurity.org> <20061014003238.GA6341@xor.obsecurity.org> X-Google-Sender-Auth: c8bb657284e641ac Cc: hackers@freebsd.org, secteam@freebsd.org Subject: Re: Tracing binaries statically linked against vulnerable libs X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Oct 2006 12:12:00 -0000 On 10/13/06, Kris Kennaway wrote: > On Fri, Oct 13, 2006 at 05:18:57PM +0400, Andrew Pantyukhin wrote: > > On 10/7/06, Kris Kennaway wrote: > > >On Fri, Oct 06, 2006 at 09:35:31AM +0400, Andrew Pantyukhin wrote: > > >> I wonder if there is a way to deal with statically linked binaries, > > >> which use vulnerable libraries. > > > > > >The best way is to track them down and force them all to link > > >dynamically; static linking is a PITA from a systems management point > > >of view :) > > > > Do you think we could do that without a serious impact on > > performance? > > In most of the cases I've looked at the statically linked binary is > not performance critical or otherwise necessary (the only exception I > saw is for some tripwire-like port whose name I forget, which is > statically linked as a security enhancement, to make it lease easily > subverted). Static linking can be made an OPTION if someone thinks > it's really necessary for a given port. Each of the ports listed in this thread are bad examples of finding static linked to ffmpeg. libxine, gstreamer-ffmpeg, and mplayer include ffmpeg in their source and don't link to multimedia/ffmpeg. Patching these ports to use a shared version of ffmpeg is pretty much out of the question since we would lose support from the authors. With that said I do see the point you're making and I do agree if at all possible make a shared library. Michael > > > I know Gentoo has this Prelink feature > > (http://www.gentoo.org/doc/en/prelink-howto.xml) which > > helps with performance, but looks like a hack. > > > > Anyway, maybe portmgr could issue some kind of a policy > > about this. I.e. (1) use {build,run}_depends instead of lib_ > > when you depend on a port providing both shared and > > static libraries, but link statically; (2) make an effort to > > encourage dynamic linking - try to provide only shared > > libs in new ports, remove unused static ones from old > > ones, and so on. > > (1) is just a statement of correct behaviour, no need for a policy > about it (it could be clarified in the porters handbook if needed). > (2) could also be added to the porter's handbook as a recommendation- > I don't think we need a formal proclamation of policy about it. > > Kris > > P.S. I can provide a list of static binaries in ports if anyone wants > to work on fixing them. > > >