| 1 |
Joel Osburn wrote: |
| 2 |
> Quoting Marc Bellarin: |
| 3 |
> |
| 4 |
>>To find packages that had the static flag set when built run |
| 5 |
>> |
| 6 |
>># grep -r static /var/db/*| grep \/USE |
| 7 |
>> |
| 8 |
>>(This is no "V" but "\ /" !) |
| 9 |
> |
| 10 |
> |
| 11 |
> As you say, this just find packages that were compiled using the |
| 12 |
> 'static' flag. |
| 13 |
> |
| 14 |
> A developer may have their own reasons for insisting that their program |
| 15 |
> be statically compiled against a particular library. In such a case, |
| 16 |
> you don't get to choose. The last time there was an openssl |
| 17 |
> vulnerability, I discovered that one of my machines (still using |
| 18 |
> apache-1.3.x, so using mod_ssl) was vulnerable *after* I had updated |
| 19 |
> openssl. I wasn't the only one on the list who had that problem. I've |
| 20 |
> never used the static flag, but mod_ssl was statically compiled against |
| 21 |
> openssl, and thus had to be re-compiled. No separate GLSA stating that, |
| 22 |
> you should just know, apparently. But no good method emerged to let one |
| 23 |
> figure out what other programs may do the same thing and also need to be |
| 24 |
> recompiled. |
| 25 |
> |
| 26 |
> Hence the discussion yesterday in this thread. Jeremy Huddleston |
| 27 |
> suggested doing "readelf -s <exec> | grep <symbol>". I'm no guru, and |
| 28 |
> don't totally understand what a file containing any given symbol means, |
| 29 |
> but if this command does indeed show if a file was statically compiled |
| 30 |
> against a given library, then there are a lot of things that need to be |
| 31 |
> recompiled. Put it in a little script and run it against my /usr/bin/ |
| 32 |
> shows such files as ftp, links2, mutt, ssh, and wget. That doesn't |
| 33 |
> sound right to me, but... how can I prove it one way or the other? |
| 34 |
> |
| 35 |
> Marc's grep command above returns nothing compiled with the static USE |
| 36 |
> flag. |
| 37 |
> |
| 38 |
> IMHO, in source-based distribution this is a critical issue and needs to |
| 39 |
> be solved. I wish I knew what that solution was :( |
| 40 |
> |
| 41 |
|
| 42 |
A list of libraries used staticly in a package could be generated by |
| 43 |
hooking gcc, ld etc. when compiling the package. That way ebuild could |
| 44 |
watch for --static flags and record any library used static. |
| 45 |
|
| 46 |
/Johan Andersson |
| 47 |
|
| 48 |
-- |
| 49 |
gentoo-security@g.o mailing list |
Archives