Re: [Full-Disclosure] OpenSSL - dynamically linked binaries?

From: Bram Matthys (Syzop) (syzop_at_vulnscan.org)
Date: 03/22/04

  • Next message: Max Valdez: "Re: [Full-Disclosure] Re: pgp passphrase"
    To: Honza Vlach <janus@volny.cz>
    Date: Mon, 22 Mar 2004 17:06:38 +0100
    
    

    Honza Vlach wrote:
    > I have checked apache mod_ssl and php module, which are both dynamically
    > linked to the libssl.so.0.9.7. The thing, that confuses me lot is, when I
    > look on the phpinfo(), it says "OpenSSL version 0.9.7c", which it
    > was compiled against.
    >
    > Does this mean, that I'm still vulnerable, or it is just version
    > hardcoded to the binary, while the library itself was sucessfully
    > reloaded?

    The latter...
    The thing is that OPENSSL_VERSION_TEXT is used to display the
    openssl version (AFAIK there's no alternative method):
         php_info_print_table_row(2, "OpenSSL Version", OPENSSL_VERSION_TEXT);

    OPENSSL_VERSION_TEXT is defined in one of the openssl header files
    (opensslv.h) and is a string constant, thus compiled in.

    So if ldd shows it's using that lib (you could even lsof it at runtime
    to be sure) then you should be ok.

            Bram Matthys.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Max Valdez: "Re: [Full-Disclosure] Re: pgp passphrase"