On 2012-12-16, Nikos Chantziaras wrote: > On 15/12/12 12:18, Volker Armin Hemmann wrote: >> Am Freitag, 14. Dezember 2012, 21:34:54 schrieb Kevin Chadwick: >> >>> On OpenBSD which has the benefit of userland being part of it. All the >>> critical single user binaries are in root and built statically as much >>> as possible, maximising system reliability no matter the custom >>> requirements or packages. >> >> until a flaw is found in one of the libs used and all those statically linked >> binaries are in danger. Well done! > > I don't see why this would only affect statically linked > executables. If a bug is found in a library, all dynamically linked > executables are affected as well. When the BSD packagers put out an > update for the library, they'll also put updates for the static > binaries that use it. > > I don't see any security issue here.
Even more than that, if a flaw is found, no matter if those are statically or dinamically linked, the flaw exists both ways, and can be exploited in both scenarios. About replacing, you can just replace all those binaries like you would replace the dynamically linkable one. But you'd have to consider that the flaw may have been exploited in both scenarios. -- Nuno Silva (aka njsg) http://njsg.sdf-eu.org/
