Mailinglist Archive: opensuse-security (300 mails)

< Previous Next >
Re: [suse-security] SuSE Security Announcement: sendmail (SuSE-SA:2003:023)
  • From: Martin Köhling <mk@xxxxxxxxxxxxxxxxxx>
  • Date: Wed, 2 Apr 2003 16:25:21 +0200 (CEST)
  • Message-id: <Pine.LNX.4.33.0304021548100.863-100000@xxxxxxxxxxxxxxxxxx>
On Wed, 2 Apr 2003, Roman Drahtmueller wrote:

> > >
> > > SuSE Security Announcement
> > >
> > > Package: sendmail, sendmail-tls
> > > Announcement-ID: SuSE-SA:2003:023
> >
> > When I patched and recompiled sendmail-8.11.3-106 (for SuSE 7.2)
> > yesterday, I noticed that my sendmail binary was 50% smaller than the
> > version supplied by SuSE (this applies to the current update, too);
> > I *think* libssl and libcrypt are linked statically in the SuSE version -
> > is this true? And if it is - why?
> It's not these two, it's /usr/lib/libldap.a and /usr/lib/liblber.a that
> are linked statically.


But one thing is strange: with my self-compiled version,
"ldd /usr/sbin/sendmail" lists these references: => /usr/lib/ (0x40058000) => /usr/lib/ (0x40086000)

These are missing from the SuSE version, so naturally I thought that SuSE
linked them statically...

And: /usr/lib/libldap.a and /usr/lib/liblber.a amount to about 300 KB, but
the size difference of the binary I'm observing is over 500 KB - are you
sure those two libs don't "pull" [parts of] libssl and libcrypto into the
binary, too? (They *do* reference them...)

Depending on what parts of libssl/libcrypt are actually used, this *could*
have security implications, no?

> The newer distributions are linked dynamically
> agaist these libraries, the older ones have tradeoffs. The reason for the
> static linking is based on dependencies between packages. Building the
> packages can have circular dependencies, which makes it a bit difficult at
> times...

Eeeeeeek - nasty stuff!
I bet you'll be glad when you finally get rid of having to support those
old distros... :-)


< Previous Next >