| 1 |
> -----Original Message----- |
| 2 |
> From: Simon Reynolds [mailto:sproket@××××××××.net] |
| 3 |
> Sent: Friday, March 19, 2004 11:22 AM |
| 4 |
> To: gentoo-security@l.g.o |
| 5 |
> Subject: RE: [gentoo-security] Do I need to rebuild things |
| 6 |
> after upgradingssl? |
| 7 |
|
| 8 |
<snip> |
| 9 |
|
| 10 |
> |
| 11 |
> FYI: if the symbol appears in the ELF file, and it was dynamically |
| 12 |
> linked to libssl, you probably don't need to worry about it. |
| 13 |
> |
| 14 |
> Keeping track of statically compiled dependencies through portage is a |
| 15 |
> good idea, in the mean time here's a simple script to search your |
| 16 |
> system: |
| 17 |
> Warning! This takes a while to run, 15 min. on my system. It is not |
| 18 |
> guaranteed to be exhaustive, and it may fry your hard drive. On my |
| 19 |
> system, it returned three false positives. |
| 20 |
> |
| 21 |
> |
| 22 |
> #!/bin/bash |
| 23 |
> |
| 24 |
> # I probably should have had this only check binaries coming from |
| 25 |
> # packages which depend on ssl, but I wanted to be sure |
| 26 |
> |
| 27 |
> for d in /bin /lib /sbin /usr/bin /usr/lib /usr/libexec /usr/sbin \ |
| 28 |
> /usr/X11R6/bin /usr/X11R6/lib /usr/games/bin /usr/games/bin /opt |
| 29 |
> do |
| 30 |
> for i in `find $d -type f -perm +0111` |
| 31 |
> do |
| 32 |
> file $i | grep ELF >/dev/null || continue |
| 33 |
> ldd $i | grep libssl >/dev/null && continue |
| 34 |
> readelf -s $i | grep " SSL_" >/dev/null || continue |
| 35 |
> echo $i |
| 36 |
> done |
| 37 |
> done |
| 38 |
> |
| 39 |
|
| 40 |
|
| 41 |
Adding the ldd test to my test script (which follows the same logic as |
| 42 |
Simon's)and running it on /usr/bin yields ssh as a guilty party. Can |
| 43 |
this be so? Running "ldd ssh" yields: |
| 44 |
|
| 45 |
libutil.so.1 => /lib/libutil.so.1 (0x40019000) |
| 46 |
libz.so.1 => /usr/lib/libz.so.1 (0x4001c000) |
| 47 |
libnsl.so.1 => /lib/libnsl.so.1 (0x4002a000) |
| 48 |
libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0x4003f000) |
| 49 |
libcrypt.so.1 => /lib/libcrypt.so.1 (0x4013c000) |
| 50 |
libc.so.6 => /lib/libc.so.6 (0x40169000) |
| 51 |
libdl.so.2 => /lib/libdl.so.2 (0x40299000) |
| 52 |
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) |
| 53 |
|
| 54 |
While "readelf -s ssh | grep -i ssl" results in: |
| 55 |
|
| 56 |
22: 0804a8d0 175 FUNC GLOBAL DEFAULT UND SSLeay_version |
| 57 |
56: 0804aaf0 37 FUNC GLOBAL DEFAULT UND |
| 58 |
OPENSSL_add_all_algorithm |
| 59 |
83: 0804ac90 10 FUNC GLOBAL DEFAULT UND SSLeay |
| 60 |
|
| 61 |
So does openssh need to be recompiled whenever one recompiles openssl, |
| 62 |
or is there another explanation? |
| 63 |
|
| 64 |
-Joel Osburn |
| 65 |
|
| 66 |
|
| 67 |
-- |
| 68 |
gentoo-security@g.o mailing list |
Archives