From owner-cvs-all  Tue Sep  4 12:37:31 2001
Delivered-To: cvs-all@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54])
	by hub.freebsd.org (Postfix) with ESMTP
	id 08A4337B40B; Tue,  4 Sep 2001 12:37:20 -0700 (PDT)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id 1E39966D0A; Tue,  4 Sep 2001 12:37:19 -0700 (PDT)
Date: Tue, 4 Sep 2001 12:37:18 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc: Kris Kennaway <kris@obsecurity.org>,
	Matt Dillon <dillon@earth.backplane.com>,
	Mark Peek <mark@whistle.com>, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/lib/libc/stdlib strtol.3 strtol.c strtoll.c strtoq.c strtoul.3 strtoul.c strtoull.c strtouq.c
Message-ID: <20010904123718.A56317@xor.obsecurity.org>
References: <200109041639.f84GdBm87501@freefall.freebsd.org> <20010904204454.A32114@nagual.pp.ru> <p05100307b7bab7186d08@[10.1.10.118]> <200109041705.f84H5W692572@earth.backplane.com> <20010904122843.A56085@xor.obsecurity.org> <20010904233320.A34429@nagual.pp.ru>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="GvXjxJ+pjyke8COw"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010904233320.A34429@nagual.pp.ru>; from ache@nagual.pp.ru on Tue, Sep 04, 2001 at 11:33:21PM +0400
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG


--GvXjxJ+pjyke8COw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Sep 04, 2001 at 11:33:21PM +0400, Andrey A. Chernov wrote:
> On Tue, Sep 04, 2001 at 12:28:43 -0700, Kris Kennaway wrote:
> > Having rcsid[] visible in source files is very useful from my point of
> > view in determining whether a binary is vulnerable to a security
>=20
> There is no such strings in binary due to shared linkage in most cases.

For the shared linkage case, the rcsids live in the lib.so.

> > vulnerability.  If we have rcsids in everything (especially
> > libraries), then it would be trivial to write scanning software which
>=20
> For released versions library major is enough to determine functions
> present there.

The problem is statically linked binaries, including third party
binaries.  We can't fix them, but we can at least identify them.

I had to write several scanners for serious libc bugs for previous
advisories, and in the cases where there was no rcsid available it
*sucked*.

Kris


--GvXjxJ+pjyke8COw
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7lS1uWry0BWjoQKURAgj8AJ4tD7yZQen9fP5ZYiEaVjpv210aEgCdHG2Z
TwiJRT2h+azrTqCfjU/Okts=
=8UOp
-----END PGP SIGNATURE-----

--GvXjxJ+pjyke8COw--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message