[Mono-dev] Possible security issue with Mono's dllmaps in etc/config

Daniel Morgan monodanmorg at yahoo.com
Mon Jan 8 12:03:17 EST 2007


libmySQL.dll can be removed since
Mono.Data.PostgreSqlClient has been replaced by fully
managed ByteFX.Data a long time ago.

As far as I'm concerned, it is up to the packager to
know what the dllmaps should be.  Or maybe
configure.in foo can be added to detect what native
libraries they actually have and setup the dllmaps for
this.

Note on unix, it is not only unixODBC, but there is
iODBC and other commercial implementations of odbc
driver managers available. uixodbc being libodbc.so
and iODBC being libiodbc.so

Didn't BenM or someone make the XML stylesheet support
in mono fully managed?  If yes, do we still need
dllmap for libxslt?

--- Paolo Molaro <lupus at ximian.com> wrote:

> On 01/08/07 Marek Habersack wrote:
> > <dllmap dll="libxslt.dll" target="libxslt.so"
> os="!windows"/>
> > <dllmap dll="libmySQL.dll"
> target="libmysqlclient.so" os="!windows" />
> > <dllmap dll="odbc32.dll" target="libodbc.so"
> os="!windows"/>
> > 
> > we may encounter two issues. First (not security
> related, just usage
> > annoyance) is that on some Linux distributions the
> lib*.so file won't
> > exist unless there are devel packages installed
> for the library in
> > question. So unless the mono library mapper
> automatically appends the
> 
> The people that implemented the dllimport methods
> that use the above
> libraries should fix the config dllmap entries to
> use the proper valid
> soname of the ABI they programmed against. Or they
> should make sure
> to deal with any needed ABI change and check in the
> code. There is no
> need to change anything in the runtime code to fix
> this, just get the
> lazy people to specify the soname/ABI they used.
> 
> In the future we'll allow listing multiple targets
> so if the dllimport
> code can handle multiple versions, the dllmap code
> will try all the
> possible targets until one loads:
> 
> 	<dllmap dll="libmySQL.dll"
> target="libmysqlclient.so.10" os="!windows" />
> 	<dllmap dll="libmySQL.dll"
> target="libmysqlclient.so.12" os="!windows" />
> 
> with later entries overriding earlier ones as it is
> now.
> There won't be any support for soname specifications
> as you suggested,
> becaue it's not portable, ordered or reliable.
> 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 



More information about the Mono-devel-list mailing list