1 |
Quoting Marc Bellarin: |
2 |
>To find packages that had the static flag set when built run |
3 |
> |
4 |
># grep -r static /var/db/*| grep \/USE |
5 |
> |
6 |
>(This is no "V" but "\ /" !) |
7 |
|
8 |
As you say, this just find packages that were compiled using the |
9 |
'static' flag. |
10 |
|
11 |
A developer may have their own reasons for insisting that their program |
12 |
be statically compiled against a particular library. In such a case, |
13 |
you don't get to choose. The last time there was an openssl |
14 |
vulnerability, I discovered that one of my machines (still using |
15 |
apache-1.3.x, so using mod_ssl) was vulnerable *after* I had updated |
16 |
openssl. I wasn't the only one on the list who had that problem. I've |
17 |
never used the static flag, but mod_ssl was statically compiled against |
18 |
openssl, and thus had to be re-compiled. No separate GLSA stating that, |
19 |
you should just know, apparently. But no good method emerged to let one |
20 |
figure out what other programs may do the same thing and also need to be |
21 |
recompiled. |
22 |
|
23 |
Hence the discussion yesterday in this thread. Jeremy Huddleston |
24 |
suggested doing "readelf -s <exec> | grep <symbol>". I'm no guru, and |
25 |
don't totally understand what a file containing any given symbol means, |
26 |
but if this command does indeed show if a file was statically compiled |
27 |
against a given library, then there are a lot of things that need to be |
28 |
recompiled. Put it in a little script and run it against my /usr/bin/ |
29 |
shows such files as ftp, links2, mutt, ssh, and wget. That doesn't |
30 |
sound right to me, but... how can I prove it one way or the other? |
31 |
|
32 |
Marc's grep command above returns nothing compiled with the static USE |
33 |
flag. |
34 |
|
35 |
IMHO, in source-based distribution this is a critical issue and needs to |
36 |
be solved. I wish I knew what that solution was :( |
37 |
|
38 |
-Joel Osburn |
39 |
|
40 |
|
41 |
-- |
42 |
gentoo-security@g.o mailing list |