1 |
Joel Osburn wrote: |
2 |
> Quoting Marc Bellarin: |
3 |
> |
4 |
>>To find packages that had the static flag set when built run |
5 |
>> |
6 |
>># grep -r static /var/db/*| grep \/USE |
7 |
>> |
8 |
>>(This is no "V" but "\ /" !) |
9 |
> |
10 |
> |
11 |
> As you say, this just find packages that were compiled using the |
12 |
> 'static' flag. |
13 |
> |
14 |
> A developer may have their own reasons for insisting that their program |
15 |
> be statically compiled against a particular library. In such a case, |
16 |
> you don't get to choose. The last time there was an openssl |
17 |
> vulnerability, I discovered that one of my machines (still using |
18 |
> apache-1.3.x, so using mod_ssl) was vulnerable *after* I had updated |
19 |
> openssl. I wasn't the only one on the list who had that problem. I've |
20 |
> never used the static flag, but mod_ssl was statically compiled against |
21 |
> openssl, and thus had to be re-compiled. No separate GLSA stating that, |
22 |
> you should just know, apparently. But no good method emerged to let one |
23 |
> figure out what other programs may do the same thing and also need to be |
24 |
> recompiled. |
25 |
> |
26 |
> Hence the discussion yesterday in this thread. Jeremy Huddleston |
27 |
> suggested doing "readelf -s <exec> | grep <symbol>". I'm no guru, and |
28 |
> don't totally understand what a file containing any given symbol means, |
29 |
> but if this command does indeed show if a file was statically compiled |
30 |
> against a given library, then there are a lot of things that need to be |
31 |
> recompiled. Put it in a little script and run it against my /usr/bin/ |
32 |
> shows such files as ftp, links2, mutt, ssh, and wget. That doesn't |
33 |
> sound right to me, but... how can I prove it one way or the other? |
34 |
> |
35 |
> Marc's grep command above returns nothing compiled with the static USE |
36 |
> flag. |
37 |
> |
38 |
> IMHO, in source-based distribution this is a critical issue and needs to |
39 |
> be solved. I wish I knew what that solution was :( |
40 |
> |
41 |
|
42 |
A list of libraries used staticly in a package could be generated by |
43 |
hooking gcc, ld etc. when compiling the package. That way ebuild could |
44 |
watch for --static flags and record any library used static. |
45 |
|
46 |
/Johan Andersson |
47 |
|
48 |
-- |
49 |
gentoo-security@g.o mailing list |