| 1 |
Quoting Marc Bellarin: |
| 2 |
>To find packages that had the static flag set when built run |
| 3 |
> |
| 4 |
># grep -r static /var/db/*| grep \/USE |
| 5 |
> |
| 6 |
>(This is no "V" but "\ /" !) |
| 7 |
|
| 8 |
As you say, this just find packages that were compiled using the |
| 9 |
'static' flag. |
| 10 |
|
| 11 |
A developer may have their own reasons for insisting that their program |
| 12 |
be statically compiled against a particular library. In such a case, |
| 13 |
you don't get to choose. The last time there was an openssl |
| 14 |
vulnerability, I discovered that one of my machines (still using |
| 15 |
apache-1.3.x, so using mod_ssl) was vulnerable *after* I had updated |
| 16 |
openssl. I wasn't the only one on the list who had that problem. I've |
| 17 |
never used the static flag, but mod_ssl was statically compiled against |
| 18 |
openssl, and thus had to be re-compiled. No separate GLSA stating that, |
| 19 |
you should just know, apparently. But no good method emerged to let one |
| 20 |
figure out what other programs may do the same thing and also need to be |
| 21 |
recompiled. |
| 22 |
|
| 23 |
Hence the discussion yesterday in this thread. Jeremy Huddleston |
| 24 |
suggested doing "readelf -s <exec> | grep <symbol>". I'm no guru, and |
| 25 |
don't totally understand what a file containing any given symbol means, |
| 26 |
but if this command does indeed show if a file was statically compiled |
| 27 |
against a given library, then there are a lot of things that need to be |
| 28 |
recompiled. Put it in a little script and run it against my /usr/bin/ |
| 29 |
shows such files as ftp, links2, mutt, ssh, and wget. That doesn't |
| 30 |
sound right to me, but... how can I prove it one way or the other? |
| 31 |
|
| 32 |
Marc's grep command above returns nothing compiled with the static USE |
| 33 |
flag. |
| 34 |
|
| 35 |
IMHO, in source-based distribution this is a critical issue and needs to |
| 36 |
be solved. I wish I knew what that solution was :( |
| 37 |
|
| 38 |
-Joel Osburn |
| 39 |
|
| 40 |
|
| 41 |
-- |
| 42 |
gentoo-security@g.o mailing list |
Archives