Ariadne Conill 🐰Apr 2, 2024

as I explain in my blog, the real problem is libraries which are large amalgamations of unrelated routines, such as libsystemd in the case of CVE-2024-3094.

a good solution is to split up these giant libraries into smaller ones, thus allowing for the dependency graphs of programs to remain leaner.

there is nothing about sd_notify() which requires LZMA compression. nothing. it is a function which writes a supplied string to a UNIX socket, the path of which is provided on an environmental variable.

Show threadAmir Livne Bar-on
@ariadne does tree shaking (the type that's common in statically linked languages) solve this completely? or is it not enough?
Apr 2, 2024 at 7:23amWeb
Show threadJames HenstridgeApr 2, 2024

@Pashhur @ariadne tree shaking generally preserves side effects from importing modules/linking libraries.

You could argue that ifunc resolvers shouldn't call until the first time the function is called, but there's a bunch of other ways a library can have code run at program initialisation time.