| 1 |
On 2012-12-16, Nikos Chantziaras wrote: |
| 2 |
|
| 3 |
> On 15/12/12 12:18, Volker Armin Hemmann wrote: |
| 4 |
>> Am Freitag, 14. Dezember 2012, 21:34:54 schrieb Kevin Chadwick: |
| 5 |
>> |
| 6 |
>>> On OpenBSD which has the benefit of userland being part of it. All the |
| 7 |
>>> critical single user binaries are in root and built statically as much |
| 8 |
>>> as possible, maximising system reliability no matter the custom |
| 9 |
>>> requirements or packages. |
| 10 |
>> |
| 11 |
>> until a flaw is found in one of the libs used and all those statically linked |
| 12 |
>> binaries are in danger. Well done! |
| 13 |
> |
| 14 |
> I don't see why this would only affect statically linked |
| 15 |
> executables. If a bug is found in a library, all dynamically linked |
| 16 |
> executables are affected as well. When the BSD packagers put out an |
| 17 |
> update for the library, they'll also put updates for the static |
| 18 |
> binaries that use it. |
| 19 |
> |
| 20 |
> I don't see any security issue here. |
| 21 |
|
| 22 |
Even more than that, if a flaw is found, no matter if those are |
| 23 |
statically or dinamically linked, the flaw exists both ways, and can be |
| 24 |
exploited in both scenarios. About replacing, you can just replace all |
| 25 |
those binaries like you would replace the dynamically linkable one. But |
| 26 |
you'd have to consider that the flaw may have been exploited in both |
| 27 |
scenarios. |
| 28 |
|
| 29 |
-- |
| 30 |
Nuno Silva (aka njsg) |
| 31 |
http://njsg.sdf-eu.org/ |
Archives