From owner-freebsd-hackers@FreeBSD.ORG Sat Oct 14 12:23:58 2006 Return-Path: X-Original-To: hackers@freebsd.org Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C46A916A412; Sat, 14 Oct 2006 12:23:58 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D42C43D45; Sat, 14 Oct 2006 12:23:58 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id 3CD752FFFBE; Sat, 14 Oct 2006 12:23:57 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 28BE41142D; Sat, 14 Oct 2006 14:23:57 +0200 (CEST) Date: Sat, 14 Oct 2006 14:23:57 +0200 From: "Simon L. Nielsen" To: Michael Johnson Message-ID: <20061014122356.GD45953@zaphod.nitro.dk> References: <20061006215902.GA21109@xor.obsecurity.org> <20061014003238.GA6341@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.11 Cc: hackers@freebsd.org, secteam@freebsd.org, Kris Kennaway Subject: Re: Tracing binaries statically linked against vulnerable libs X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Oct 2006 12:23:58 -0000 On 2006.10.14 08:11:56 -0400, Michael Johnson wrote: > On 10/13/06, Kris Kennaway wrote: > >On Fri, Oct 13, 2006 at 05:18:57PM +0400, Andrew Pantyukhin wrote: > >> On 10/7/06, Kris Kennaway wrote: > >> >On Fri, Oct 06, 2006 at 09:35:31AM +0400, Andrew Pantyukhin wrote: > >> >> I wonder if there is a way to deal with statically linked binaries, > >> >> which use vulnerable libraries. > >> > > >> >The best way is to track them down and force them all to link > >> >dynamically; static linking is a PITA from a systems management point > >> >of view :) > >> > >> Do you think we could do that without a serious impact on > >> performance? > > > >In most of the cases I've looked at the statically linked binary is > >not performance critical or otherwise necessary (the only exception I > >saw is for some tripwire-like port whose name I forget, which is > >statically linked as a security enhancement, to make it lease easily > >subverted). Static linking can be made an OPTION if someone thinks > >it's really necessary for a given port. > > Each of the ports listed in this thread are bad examples of > finding static linked to ffmpeg. libxine, gstreamer-ffmpeg, and mplayer > include ffmpeg in their source and don't link to multimedia/ffmpeg. > Patching these ports to use a shared version of ffmpeg is pretty > much out of the question since we would lose support from the > authors. If ports include their own vulnerable version each port should be marked vulnerable and fixed. We have already done this for zlib, libtiff etc. in the past. For ports which just links statically against a library from another port, and therefor need to be recompiled after the library port is updated I don't think they should be marked vulnerable in VuXML, but it might be a good idea to bump the portrevision of the ports to force a recompile (at least I don't see any better ways to do this). -- Simon L. Nielsen FreeBSD Security Team