1 |
> -----Original Message----- |
2 |
> From: Simon Reynolds [mailto:sproket@××××××××.net] |
3 |
> Sent: Friday, March 19, 2004 11:22 AM |
4 |
> To: gentoo-security@l.g.o |
5 |
> Subject: RE: [gentoo-security] Do I need to rebuild things |
6 |
> after upgradingssl? |
7 |
|
8 |
<snip> |
9 |
|
10 |
> |
11 |
> FYI: if the symbol appears in the ELF file, and it was dynamically |
12 |
> linked to libssl, you probably don't need to worry about it. |
13 |
> |
14 |
> Keeping track of statically compiled dependencies through portage is a |
15 |
> good idea, in the mean time here's a simple script to search your |
16 |
> system: |
17 |
> Warning! This takes a while to run, 15 min. on my system. It is not |
18 |
> guaranteed to be exhaustive, and it may fry your hard drive. On my |
19 |
> system, it returned three false positives. |
20 |
> |
21 |
> |
22 |
> #!/bin/bash |
23 |
> |
24 |
> # I probably should have had this only check binaries coming from |
25 |
> # packages which depend on ssl, but I wanted to be sure |
26 |
> |
27 |
> for d in /bin /lib /sbin /usr/bin /usr/lib /usr/libexec /usr/sbin \ |
28 |
> /usr/X11R6/bin /usr/X11R6/lib /usr/games/bin /usr/games/bin /opt |
29 |
> do |
30 |
> for i in `find $d -type f -perm +0111` |
31 |
> do |
32 |
> file $i | grep ELF >/dev/null || continue |
33 |
> ldd $i | grep libssl >/dev/null && continue |
34 |
> readelf -s $i | grep " SSL_" >/dev/null || continue |
35 |
> echo $i |
36 |
> done |
37 |
> done |
38 |
> |
39 |
|
40 |
|
41 |
Adding the ldd test to my test script (which follows the same logic as |
42 |
Simon's)and running it on /usr/bin yields ssh as a guilty party. Can |
43 |
this be so? Running "ldd ssh" yields: |
44 |
|
45 |
libutil.so.1 => /lib/libutil.so.1 (0x40019000) |
46 |
libz.so.1 => /usr/lib/libz.so.1 (0x4001c000) |
47 |
libnsl.so.1 => /lib/libnsl.so.1 (0x4002a000) |
48 |
libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0x4003f000) |
49 |
libcrypt.so.1 => /lib/libcrypt.so.1 (0x4013c000) |
50 |
libc.so.6 => /lib/libc.so.6 (0x40169000) |
51 |
libdl.so.2 => /lib/libdl.so.2 (0x40299000) |
52 |
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) |
53 |
|
54 |
While "readelf -s ssh | grep -i ssl" results in: |
55 |
|
56 |
22: 0804a8d0 175 FUNC GLOBAL DEFAULT UND SSLeay_version |
57 |
56: 0804aaf0 37 FUNC GLOBAL DEFAULT UND |
58 |
OPENSSL_add_all_algorithm |
59 |
83: 0804ac90 10 FUNC GLOBAL DEFAULT UND SSLeay |
60 |
|
61 |
So does openssh need to be recompiled whenever one recompiles openssl, |
62 |
or is there another explanation? |
63 |
|
64 |
-Joel Osburn |
65 |
|
66 |
|
67 |
-- |
68 |
gentoo-security@g.o mailing list |