On Wed, 2 Apr 2003, Roman Drahtmueller wrote:
SuSE Security Announcement
Package: sendmail, sendmail-tls Announcement-ID: SuSE-SA:2003:023
When I patched and recompiled sendmail-8.11.3-106 (for SuSE 7.2) yesterday, I noticed that my sendmail binary was 50% smaller than the version supplied by SuSE (this applies to the current update, too); I *think* libssl and libcrypt are linked statically in the SuSE version - is this true? And if it is - why?
It's not these two, it's /usr/lib/libldap.a and /usr/lib/liblber.a that are linked statically.
Thanks. But one thing is strange: with my self-compiled version, "ldd /usr/sbin/sendmail" lists these references: libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x40058000) libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x40086000) These are missing from the SuSE version, so naturally I thought that SuSE linked them statically... And: /usr/lib/libldap.a and /usr/lib/liblber.a amount to about 300 KB, but the size difference of the binary I'm observing is over 500 KB - are you sure those two libs don't "pull" [parts of] libssl and libcrypto into the binary, too? (They *do* reference them...) Depending on what parts of libssl/libcrypt are actually used, this *could* have security implications, no?
The newer distributions are linked dynamically agaist these libraries, the older ones have tradeoffs. The reason for the static linking is based on dependencies between packages. Building the packages can have circular dependencies, which makes it a bit difficult at times...
Eeeeeeek - nasty stuff! I bet you'll be glad when you finally get rid of having to support those old distros... :-) Martin