Date: Fri, 13 Oct 2006 17:18:57 +0400 From: "Andrew Pantyukhin" <infofarmer@FreeBSD.org> To: "Kris Kennaway" <kris@obsecurity.org> Cc: hackers@freebsd.org, secteam@freebsd.org Subject: Re: Tracing binaries statically linked against vulnerable libs Message-ID: <cb5206420610130618ycb0a14ev90dbcebdbf6b6316@mail.gmail.com> In-Reply-To: <20061006215902.GA21109@xor.obsecurity.org> References: <cb5206420610052235t78033639vaa90429f07581078@mail.gmail.com> <20061006215902.GA21109@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/7/06, Kris Kennaway <kris@obsecurity.org> wrote: > On Fri, Oct 06, 2006 at 09:35:31AM +0400, Andrew Pantyukhin wrote: > > I wonder if there is a way to deal with statically linked binaries, > > which use vulnerable libraries. > > The best way is to track them down and force them all to link > dynamically; static linking is a PITA from a systems management point > of view :) Do you think we could do that without a serious impact on performance? I know Gentoo has this Prelink feature (http://www.gentoo.org/doc/en/prelink-howto.xml) which helps with performance, but looks like a hack. Anyway, maybe portmgr could issue some kind of a policy about this. I.e. (1) use {build,run}_depends instead of lib_ when you depend on a port providing both shared and static libraries, but link statically; (2) make an effort to encourage dynamic linking - try to provide only shared libs in new ports, remove unused static ones from old ones, and so on. The only secure way to deal with it now is to mark all ports that depend on a vulnerable one, also vulnerable - and then try to figure out which of them are indeed safe. Of course, this will result in half of the tree being marked vulnerable most of the time :-( Thanks!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cb5206420610130618ycb0a14ev90dbcebdbf6b6316>