[Slackbuilds-users] Cauterizing heartbleed (CVE-2014-0160)
mancha
mancha1 at hush.com
Sat Apr 12 06:06:16 UTC 2014
Vincent Batts <vbatts at ...> writes:
>
> for file in $(find . -type f | xargs file | grep ELF | cut -d : -f 1); do
> d=$(strings $file | grep OpenSSL)
> if [ ${#d} -gt 0 ]; then
> echo $file
> echo $d
> echo
> fi
> done
> On Apr 11, 2014 5:41 PM, "B Watson" wrote:
> On 4/11/14, mancha wrote:
> > If we're sure the linking is dynamic then re-compilation is not
> > needed.
> Need a reliable way to tell whether a binary is statically linked with
> openssl... grep for some symbol that's always linked I suppose. Would
> require actually building the stuff you're trying to check though, not
> just grepping the build script.
Something along those lines can help narrow down the search field
especially because both Pat and SBo strip symbols (I think SBo scripts
generally 'strip --strip-unneeded', right?). Otherwise something like
this would have been possible:
$ objdump -t <FILENAME> | grep SSL_library_init
After identifying candidates, we can worry about whether the bundled
or statically-linked OpenSSLs are vulnerable or not.
--mancha
More information about the SlackBuilds-users
mailing list