libtool audit

libtool
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
libtool audit

From:	Gary V. Vaughan
Subject:	libtool audit
Date:	Wed, 17 Dec 2003 17:23:50 +0000
User-agent:	Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20030925 Thunderbird/0.3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bob Friesenhahn wrote:
| If the date that savannah was compromised is well known, then it seems
| that examining CVS diffs since that date is the best approach.
| Unfortunately, it is very easy to compromise shell code in ways which
| are not obvious.  For example "rm -rf $FOO/" will happily remove the
| root directory if FOO is not defined.

Argh.  I am beginning to resent the amount of admin I am doing in what would
otherwise be my hacking time :-(

I've just spent about 2 hours looking through files from:

~    ftp://ftp.gnu.org/savannah/changsets/libtool-changes.tar.gz

It's difficult, tedious and error prone.  As best I can tell, the files I've
checked are not carrying trojans or bad calls to `rm'.  I think 2 hours at a
time is an upper limit of how long I can spend on this in one sitting before
my concentration diminishes enough to let errors through.

Quick back of an envelope calculation based on number of lines in the
changeset files leads me to believe it will be about 12 man-hours of effort to
audit everything.

Ignoring files which are not code, or involved in the generation of code, and
removing those files I have examined already, this is what remains:

./ltmain.in,v-1
./cdemo/Attic/Makefile.am,v-1
./cdemo/Attic/configure.ac,v-1
./cdemo/Attic/foo.c,v-1
./cdemo/Attic/foo.h,v-1
./cdemo/Attic/main.c,v-1
./demo/Attic/Makefile.am,v-1
./demo/Attic/configure.ac,v-1
./demo/Attic/dlmain.c,v-1
./demo/Attic/foo.c,v-1
./demo/Attic/foo.h,v-1
./demo/Attic/hell1.c,v-1
./demo/Attic/hell2.c,v-1
./demo/Attic/hello.c,v-1
./demo/Attic/main.c,v-1
./depdemo/Attic/Makefile.am,v-1
./depdemo/Attic/configure.ac,v-1
./depdemo/Attic/main.c,v-1
./depdemo/Attic/sysdep.h,v-1
./depdemo/l1/Attic/Makefile.am,v-1
./depdemo/l1/Attic/l1.c,v-1
./depdemo/l1/Attic/l1.h,v-1
./depdemo/l2/Attic/Makefile.am,v-1
./depdemo/l2/Attic/l2.c,v-1
./depdemo/l2/Attic/l2.h,v-1
./depdemo/l3/Attic/Makefile.am,v-1
./depdemo/l3/Attic/l3.c,v-1
./depdemo/l3/Attic/l3.h,v-1
./depdemo/l4/Attic/Makefile.am,v-1
./depdemo/l4/Attic/l4.c,v-1
./depdemo/l4/Attic/l4.h,v-1
./f77demo/Attic/Makefile.am,v-1
./f77demo/Attic/configure.ac,v-1
./f77demo/Attic/cprogram.c,v-1
./f77demo/Attic/foo.h,v-1
./f77demo/Attic/fooc.c,v-1
./f77demo/Attic/foof.f,v-1
./f77demo/Attic/fprogram.f,v-1
./libltdl/Makefile.am,v-1
./libltdl/ltdl.c,v-1
./libltdl/ltdl.c,v-1.174.2
./libltdl/ltdl.h,v-1.57.2
./libltdl/ltdl.h,v-1
./libltdl/Attic/configure.ac,v-1
./m4/libtool.m4,v-1
./m4/ltdl.m4,v-1
./mdemo/Attic/Makefile.am,v-1.46.2
./mdemo/Attic/Makefile.am,v-1
./mdemo/Attic/configure.ac,v-1
./mdemo/Attic/foo.h,v-1
./mdemo/Attic/foo1.c,v-1
./mdemo/Attic/foo2.c,v-1
./mdemo/Attic/main.c,v-1
./mdemo/Attic/mlib.c,v-1
./mdemo/Attic/sub.c,v-1
./mdemo2/Attic/Makefile.am,v-1
./mdemo2/Attic/Makefile.am,v-1.1.2
./mdemo2/Attic/configure.ac,v-1
./mdemo2/Attic/main.c,v-1
./pdemo/Attic/Makefile.am,v-1
./pdemo/Attic/configure.ac,v-1
./pdemo/Attic/longer_file_name_foo.c,v-1
./pdemo/Attic/foo.h,v-1
./pdemo/Attic/longer_file_name_dlmain.c,v-1
./pdemo/Attic/longer_file_name_foo2.c,v-1
./pdemo/Attic/longer_file_name_hell1.c,v-1
./pdemo/Attic/longer_file_name_hell2.c,v-1
./pdemo/Attic/longer_file_name_hello.c,v-1
./pdemo/Attic/longer_file_name_main.c,v-1
./tagdemo/Attic/Makefile.am,v-1
./tagdemo/Attic/baz.cpp,v-1
./tagdemo/Attic/baz.h,v-1
./tagdemo/Attic/configure.ac,v-1
./tagdemo/Attic/foo.cpp,v-1
./tagdemo/Attic/foo.h,v-1
./tagdemo/Attic/main.cpp,v-1
./tests/Makefile.am,v-1.32.2
./tests/Makefile.am,v-1
./tests/cdemo-conf.test,v-1
./tests/assign.test,v-1
./tests/demo-noinst-link.test,v-1
./tests/cdemo-exec.test,v-1
./tests/cdemo-make.test,v-1
./tests/cdemo-shared.test,v-1
./tests/cdemo-static.test,v-1
./tests/defs,v-1
./tests/demo-conf.test,v-1
./tests/demo-deplibs.test,v-1
./tests/demo-exec.test,v-1
./tests/demo-hardcode.test,v-1
./tests/demo-inst.test,v-1
./tests/demo-make.test,v-1
./tests/demo-nofast.test,v-1
./tests/depdemo-nofast.test,v-1
./tests/demo-nopic.test,v-1
./tests/demo-pic.test,v-1
./tests/demo-relink.test,v-1
./tests/demo-shared.test,v-1
./tests/demo-static.test,v-1
./tests/demo-unst.test,v-1
./tests/depdemo-conf.test,v-1
./tests/depdemo-exec.test,v-1
./tests/depdemo-inst.test,v-1
./tests/depdemo-make.test,v-1
./tests/depdemo-relink.test,v-1
./tests/depdemo-shared.test,v-1
./tests/depdemo-static.test,v-1
./tests/depdemo-unst.test,v-1
./tests/f77demo-conf.test,v-1
./tests/f77demo-exec.test,v-1
./tests/f77demo-make.test,v-1
./tests/f77demo-shared.test,v-1
./tests/f77demo-static.test,v-1
./tests/link-2.test,v-1
./tests/link.test,v-1
./tests/mdemo-conf.test,v-1
./tests/mdemo-dryrun.test,v-1
./tests/mdemo-exec.test,v-1
./tests/mdemo-inst.test,v-1
./tests/mdemo-make.test,v-1
./tests/mdemo-shared.test,v-1
./tests/mdemo-static.test,v-1
./tests/mdemo-unst.test,v-1
./tests/mdemo2-conf.test,v-1
./tests/mdemo2-exec.test,v-1
./tests/mdemo2-make.test,v-1
./tests/nomode.test,v-1
./tests/pdemo-conf.test,v-1
./tests/pdemo-exec.test,v-1
./tests/pdemo-inst.test,v-1
./tests/pdemo-make.test,v-1
./tests/quote.test,v-1
./tests/sh.test,v-1
./tests/suffix.test,v-1
./tests/tagdemo-conf.test,v-1
./tests/tagdemo-exec.test,v-1
./tests/tagdemo-make.test,v-1
./tests/tagdemo-shared.test,v-1
./tests/tagdemo-static.test,v-1
./tests/Attic/build-relink.test,v-1
./tests/Attic/build-relink2.test,v-1
./tests/Attic/deplibs.test,v-1
./tests/Attic/dryrun.test,v-1
./tests/Attic/dryrun.test,v-1.9.2
./tests/Attic/hardcode.test,v-1
./tests/Attic/noinst-link.test,v-1
./tests/cdemo/Makefile.am,v-1
./tests/cdemo/configure.ac,v-1
./tests/cdemo/foo.c,v-1
./tests/cdemo/foo.h,v-1
./tests/cdemo/main.c,v-1
./tests/demo/Makefile.am,v-1
./tests/demo/configure.ac,v-1
./tests/demo/dlmain.c,v-1
./tests/demo/foo.c,v-1
./tests/demo/foo.h,v-1
./tests/demo/hell1.c,v-1
./tests/demo/hell2.c,v-1
./tests/demo/hello.c,v-1
./tests/demo/main.c,v-1
./tests/depdemo/Makefile.am,v-1
./tests/depdemo/configure.ac,v-1
./tests/depdemo/sysdep.h,v-1
./tests/depdemo/main.c,v-1
./tests/depdemo/l1/Makefile.am,v-1
./tests/depdemo/l1/l1.c,v-1
./tests/depdemo/l1/l1.h,v-1
./tests/depdemo/l2/Makefile.am,v-1
./tests/depdemo/l2/l2.c,v-1
./tests/depdemo/l2/l2.h,v-1
./tests/depdemo/l3/Makefile.am,v-1
./tests/depdemo/l3/l3.c,v-1
./tests/depdemo/l3/l3.h,v-1
./tests/depdemo/l4/Makefile.am,v-1
./tests/depdemo/l4/l4.c,v-1
./tests/depdemo/l4/l4.h,v-1
./tests/f77demo/Makefile.am,v-1
./tests/f77demo/configure.ac,v-1
./tests/f77demo/cprogram.c,v-1
./tests/f77demo/foo.h,v-1
./tests/f77demo/fooc.c,v-1
./tests/f77demo/foof.f,v-1
./tests/f77demo/fprogram.f,v-1
./tests/f77demo/Attic/config.h,v-1
./tests/mdemo/Makefile.am,v-1
./tests/mdemo/configure.ac,v-1
./tests/mdemo/foo.h,v-1
./tests/mdemo/foo1.c,v-1
./tests/mdemo/foo2.c,v-1
./tests/mdemo/main.c,v-1
./tests/mdemo/mlib.c,v-1
./tests/mdemo/sub.c,v-1
./tests/mdemo2/Makefile.am,v-1
./tests/mdemo2/configure.ac,v-1
./tests/mdemo2/main.c,v-1
./tests/pdemo/Makefile.am,v-1
./tests/pdemo/longer_file_name_foo.c,v-1
./tests/pdemo/configure.ac,v-1
./tests/pdemo/foo.h,v-1
./tests/pdemo/longer_file_name_dlmain.c,v-1
./tests/pdemo/longer_file_name_foo2.c,v-1
./tests/pdemo/longer_file_name_hell1.c,v-1
./tests/pdemo/longer_file_name_hell2.c,v-1
./tests/pdemo/longer_file_name_hello.c,v-1
./tests/pdemo/longer_file_name_main.c,v-1
./tests/tagdemo/Makefile.am,v-1
./tests/tagdemo/baz.cpp,v-1
./tests/tagdemo/configure.ac,v-1
./tests/tagdemo/baz.h,v-1
./tests/tagdemo/foo.cpp,v-1
./tests/tagdemo/foo.h,v-1
./tests/tagdemo/main.cpp,v-1

Many of these files are very small, and only take a couple of minutes to
verify.  If you have time to examine a bunch of them, please do so, remove the
ones you are happy with from the list, and send the remainder on.  I'm hoping
we can get through this in a few weeks...

Cheers,
        Gary.
- --
Gary V. Vaughan      ())_.  address@hidden,gnu.org}
Research Scientist   ( '/   http://www.oranda.demon.co.uk
GNU Hacker           / )=   http://www.gnu.org/software/libtool
Technical Author   `(_~)_   http://sources.redhat.com/autobook
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQE/4JEmFRMICSmD1gYRAsIAAKCull4smORKg7Fl0TFreoZiCXaLAwCfWyLo
ns062rESRJLtUQxLJ4gCLN4=
=NjAJ
-----END PGP SIGNATURE-----
[Prev in Thread]
Current Thread
[Next in Thread]
libtool audit, Gary V. Vaughan <=
- Re: libtool audit, Scott James Remnant, 2003/12/17
  - Re: libtool audit, Gary V. Vaughan, 2003/12/18
    - Re: libtool audit, Peter O'Gorman, 2003/12/18
Prev by Date: Re: pkg-config and versioning of static libraries
Next by Date: BUSINESS ASSISTANCE.
Previous by thread: pkg-config and versioning of static libraries
Next by thread: Re: libtool audit
Index(es):
- Date
- Thread