Re: Bug#28850: List of packages that link gettext statically
Martin Schulze <joey@finlandia.Infodrom.North.DE> writes:
> Santiago Vila wrote:
> > On Tue, 16 Feb 1999, Martin Schulze wrote:
> >
> > > Ok, like I expected I have found NOT a single package that contains
> > > a setuid or setgid binary. Somebody please confirm this.
> >
> > What about /bin/su from shellutils?
> >
> > (This example was in the original report against gettext).
>
> shellutils was not part of the list Richard provided.
More to the point, /bin/su links against gettext dynamically:
cush:/mirror/JX-1.1.19/ACE/ACE_wrappers/ace$ nm -D /bin/su | grep bind
U bindtextdomain
Therefore, if the shared-library version of gettext is cleansed of
(these) buffer overflows, /bin/su will be as well.
Reply to: