Date: Tue, 4 Sep 2001 12:37:18 -0700 From: Kris Kennaway <kris@obsecurity.org> To: "Andrey A. Chernov" <ache@nagual.pp.ru> Cc: Kris Kennaway <kris@obsecurity.org>, Matt Dillon <dillon@earth.backplane.com>, Mark Peek <mark@whistle.com>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/lib/libc/stdlib strtol.3 strtol.c strtoll.c strtoq.c strtoul.3 strtoul.c strtoull.c strtouq.c Message-ID: <20010904123718.A56317@xor.obsecurity.org> In-Reply-To: <20010904233320.A34429@nagual.pp.ru>; from ache@nagual.pp.ru on Tue, Sep 04, 2001 at 11:33:21PM %2B0400 References: <200109041639.f84GdBm87501@freefall.freebsd.org> <20010904204454.A32114@nagual.pp.ru> <p05100307b7bab7186d08@[10.1.10.118]> <200109041705.f84H5W692572@earth.backplane.com> <20010904122843.A56085@xor.obsecurity.org> <20010904233320.A34429@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--GvXjxJ+pjyke8COw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 04, 2001 at 11:33:21PM +0400, Andrey A. Chernov wrote: > On Tue, Sep 04, 2001 at 12:28:43 -0700, Kris Kennaway wrote: > > Having rcsid[] visible in source files is very useful from my point of > > view in determining whether a binary is vulnerable to a security >=20 > There is no such strings in binary due to shared linkage in most cases. For the shared linkage case, the rcsids live in the lib.so. > > vulnerability. If we have rcsids in everything (especially > > libraries), then it would be trivial to write scanning software which >=20 > For released versions library major is enough to determine functions > present there. The problem is statically linked binaries, including third party binaries. We can't fix them, but we can at least identify them. I had to write several scanners for serious libc bugs for previous advisories, and in the cases where there was no rcsid available it *sucked*. Kris --GvXjxJ+pjyke8COw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7lS1uWry0BWjoQKURAgj8AJ4tD7yZQen9fP5ZYiEaVjpv210aEgCdHG2Z TwiJRT2h+azrTqCfjU/Okts= =8UOp -----END PGP SIGNATURE----- --GvXjxJ+pjyke8COw-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010904123718.A56317>