On Saturday 17 February 2007, Brian Harring wrote: > Security impact is from a pkg potentially dragging along old libs; if > you've got a stable pkg that gets an update once every blue moon, it > can hold onto the lib for a *long* time while still using the lib; > thus if a vuln. in the lib, said pkg still is screwed.
umm, no ... the package itself is updated against the new copy while the old copy exists for other packages that have already been built > Other angle is someone intentionally forcing usage of a known bad > library that is still dangling. Corner case, but doable. as i said, this is the "invalid" syntax: ... /usr/lib/libfoo.so.3 ... besides, this is not a real concern ... if a user is purposefully relinking against files because it has a security issue, they have the ability to do a lot more than any bug exposed in the library > Bit curious how this is going to behave if via linked in libs, new loc > and old get loaded alongside... this would require multiple libraries to be involved in the equation and the answer is undefined behavior which most certainly result in runtime failures ... besides, just like the gcc-3.3 -> gcc-3.4 transition, if you dont run revdep-rebuild and things are breaking, it's your own fault -mike
pgpO00K3jGoxh.pgp
Description: PGP signature
