[ On Saturday, December 14, 2002 at 10:42:06 (+0000), David Laight wrote: ]
> Subject: Re: Dynamically Linked NetBSD-Current
>
> On Fri, Dec 13, 2002 at 10:22:34PM -0500, Dan Melomedman wrote:
> > > Another thing that I remember about that OpenBSD security advisory
> > > (and this was a while ago now) was that, at least initially, they told
> > > you to recompile the effected statically linked binaries but they
> > > didn't mention which ones were actually effected. This was why I
> > > immediately perked up when I heard about this.
> > 
> > Probably because they were too lazy to find what was affected in the
> > distribution.
> 
> It is all too hard!  How would you know which bits installed from
> pkgsrc used the 'broken' function.

Well if you don't strip your binaries, and assuming you know exactly
what symbols have to be changed to fix the problem, and if you have no
overlapping timestamps of programs built with both broken and fixed
versions of the library, then it's not very hard at all....

> Reminds me of trying to track down the final program that had the
> broken version of the utmp update routines linked to it.
> This was a commercial unix and the offending program could have
> come from a 3rd party.

Even back in those days it never ever made any sense to me why binaries
where stripped....

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>