On Sat, Feb 17, 2007 at 09:03:24AM -0500, Mike Frysinger wrote: > On Saturday 17 February 2007, Simon Stelling wrote: > > Using preserve-libs it would leave the old lib around, > > making it possible for programs to link against the wrong version and > > ending up being vulnerable. > > generally, this is incorrect > > the only way you could link against it is if you were to actually specify the > full path to the library: > ... /usr/lib/libfoo.so.3 ... > > and since that's invalid usage, there is no real security impact
Security impact is from a pkg potentially dragging along old libs; if you've got a stable pkg that gets an update once every blue moon, it can hold onto the lib for a *long* time while still using the lib; thus if a vuln. in the lib, said pkg still is screwed. Other angle is someone intentionally forcing usage of a known bad library that is still dangling. Corner case, but doable. Bit curious how this is going to behave if via linked in libs, new loc and old get loaded alongside... ~harring
pgpfuxBrBfbNW.pgp
Description: PGP signature