[wiki] [sites] Rephrase sentence about vulnerabilities in static linking. || Chris Down from git_AT_suckless.org on 2013-09-27 (wiki mail list archive)

From: <git_AT_suckless.org>
Date: Fri, 27 Sep 2013 16:17:09 +0200

commit 594d432605b14339bdc25008e867b836ba35d99a
Author: Chris Down <chris_AT_chrisdown.name>
Date: Fri Sep 27 16:15:30 2013 +0200

    Rephrase sentence about vulnerabilities in static linking.

    This sentence was misunderstood here:
    https://mailman.archlinux.org/pipermail/arch-general/2013-September/034214.html

diff --git a/sta.li/faq.md b/sta.li/faq.md
index 3c5584d..6326ab4 100644
--- a/sta.li/faq.md
+++ b/sta.li/faq.md
_AT_@ -45,9 +45,9 @@ Aren't statically linked executables less secure?
----------------------------------------------
Several people argue (with implicitly requiring ABI-stability) that dynamically
linked executables benefit from security fixes in libraries they depend on.
-This is true to some extend, but if there is a security flaw in a dynamically
-linked library, all programs are affected as well; whereas statically
-executables aren't.
+While this is true to some extent, statically linked executables aren't
+en-masse affected by vulnerabilities in the dynamic libraries installed on your
+system in the first place.

We know that there is some overhead in re-compiling all affected executables if
a dependent library is insecure, but we don't see this as a critical
_AT_@ -73,7 +73,7 @@ for some insight.

Also a security issue with dynamically linked libraries are executables with
the suid flag. A user can easily run dynamic library code using LD_PRELOAD in
-conjunction with some trivial program like ping. Using a static
+conjunction with some trivial program like ping. Using a static
executable with the suid flag eliminates this problem completely.

Apart from that we link against libraries with low footprint (eg uclibc instead
_AT_@ -109,7 +109,7 @@ the dependent libraries were pre-loaded. We believe the overhead for looking up
all needed symbols in the dynamically loaded libraries seems to be very
expensive. On modern hardware this is only noticable with endlessly executing
the static and dynamic executable in a loop for several minutes and counting
-the number of executions.
+the number of executions.

A general conclusion is, the more dynamic libraries an executable depends on,
the slower it'll start, regardless if the libraries are preloaded or not.
Received on Fri Sep 27 2013 - 16:17:09 CEST

This archive was generated by hypermail 2.3.0 : Thu Jun 18 2015 - 17:37:46 CEST