On Thu, Aug 01, 2002 at 10:09:18AM -0500, Mike Green wrote:
> In light of the recent vulnerabilities announced in openssl, I am attempting
> to recompile packages against openssl-0.9.6e. Finding binaries/libraries
> compiled against shared libraries has been straightforward. However, I
> have no clue how to approach finding binaries/libraries that have
> statically compiled openssl code in them.
>
> Does anyone have a recipe for doing this? I would appreciate an idea of
> what tools to use (nm?) and symbols to look for. The environment I am
> attempting to do this in is linux on packages compiled for i686.
As long as error messages are compiled in (the linker might omit them
when no error messages are used at all), you might look out for the
strings being part of the error messsages. Another good bet is the
requirement to retrieve random numbers from "/dev/urandom", so that the
string "/dev/urandom" might be worth searching for.
As long as the binaries have not been stripped, you might also find the
function names like "SSL_CTX_new" (all programs using SSL functionality
should have this one).
A simple "grep" for the symbols might do. I would not use "strings", as
I have seen some items slipping through as the detection of strings is
not perfect.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
