[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: libc patch (resolver)



On Wed, Jun 26, 2002 at 10:05:59PM -0500, C. Bensend wrote:
> Hey folks,
> 
> 	I'm just catching up on the bazillion and five
> security-related emails lately, and I saw the announcement of
> the libc vulnerability.
> 
> 	-> As I understand it <- , this vulnerability affects many
> (if not all) of the binaries in /bin and /sbin.  If I am incorrect,
> please feel free to correct me in a constructive way - I have read
> nothing that suggests otherwise.
> 
> 	My question:  is there a simpler way of rebuilding all of
> the binaries that have been statically compiled, short of an ugly
> 'find /usr/src ...' 

in addition to all /bin and /sbin :

find /usr/bin /usr/sbin /usr/X11R6 /usr/games /usr/mdec /usr/libexec \
/usr/share /usr/local -type f -and \
\( -perm -o+x -or -perm -g+x -or -perm -u+x \) | \
xargs file | egrep -vw "dynamically linked|text|library"

(not sure if we should also rebuild static libraries ...)

which gives me on a 3.1 box :

/usr/bin/encrypt:       OpenBSD/i386 demand paged executable
/usr/bin/gunzip:        OpenBSD/i386 demand paged executable
/usr/bin/gzcat:         OpenBSD/i386 demand paged executable
/usr/bin/gzip:          OpenBSD/i386 demand paged executable
/usr/bin/kdump:         OpenBSD/i386 demand paged executable
/usr/bin/ktrace:        OpenBSD/i386 demand paged executable
/usr/sbin/chroot:       OpenBSD/i386 demand paged executable
/usr/sbin/pwd_mkdb:     OpenBSD/i386 demand paged executable
/usr/mdec/biosboot:     OpenBSD/i386 object file not stripped
/usr/mdec/boot:         OpenBSD/i386 demand paged executable
/usr/mdec/installboot:  OpenBSD/i386 demand paged executable
/usr/mdec/mbr:          data
/usr/libexec/makekey:   OpenBSD/i386 demand paged executable
/usr/local/bin/bash:    OpenBSD/i386 demand paged executable

> script to find all of the statically compiled
> binaries, and recompile them (after the resolver patch has been
> applied)?  

cd /usr/src && make build ?

> I have installed the patch, now I'm worried about the
> last two lines of the patch intro:
> 
> 	"Note that programs that are linked statically will not pick up
> the change unless they are rebuilt.  This includes the contents of /bin
> and /sbin."

This also means that certain ports should also be rebuilt. For
exemple, but not limited to, any static shell you may have.

-- 
Rémi