1 |
On 2012-12-16, Nikos Chantziaras wrote: |
2 |
|
3 |
> On 15/12/12 12:18, Volker Armin Hemmann wrote: |
4 |
>> Am Freitag, 14. Dezember 2012, 21:34:54 schrieb Kevin Chadwick: |
5 |
>> |
6 |
>>> On OpenBSD which has the benefit of userland being part of it. All the |
7 |
>>> critical single user binaries are in root and built statically as much |
8 |
>>> as possible, maximising system reliability no matter the custom |
9 |
>>> requirements or packages. |
10 |
>> |
11 |
>> until a flaw is found in one of the libs used and all those statically linked |
12 |
>> binaries are in danger. Well done! |
13 |
> |
14 |
> I don't see why this would only affect statically linked |
15 |
> executables. If a bug is found in a library, all dynamically linked |
16 |
> executables are affected as well. When the BSD packagers put out an |
17 |
> update for the library, they'll also put updates for the static |
18 |
> binaries that use it. |
19 |
> |
20 |
> I don't see any security issue here. |
21 |
|
22 |
Even more than that, if a flaw is found, no matter if those are |
23 |
statically or dinamically linked, the flaw exists both ways, and can be |
24 |
exploited in both scenarios. About replacing, you can just replace all |
25 |
those binaries like you would replace the dynamically linkable one. But |
26 |
you'd have to consider that the flaw may have been exploited in both |
27 |
scenarios. |
28 |
|
29 |
-- |
30 |
Nuno Silva (aka njsg) |
31 |
http://njsg.sdf-eu.org/ |