Re: [xml] correct version of libxml2



On Apr 29, 2011, at 9:55 AM, Daniel Veillard wrote:

On Tue, Apr 26, 2011 at 10:22:20AM -0400, Jonah Petri wrote:
Just out of curiousity - it _should_ be ok to call this within a
library on a statically linked copy of libxml2, right?

 I have never heard of a static embedding of libxml2 in a shared
library. This may still fail, depending on how the linker works,
if another library uses libxml2 and the linker finds it withon yours
the problem is the same.
 In general embedding statically is a bad idea, any security errata
touching libxml2 would need fixing in all the statically compiled
places too, people try very hard to avoid it. I think open office
used to do this and we tried to make sure distro fixed this (a long
time ago, just to give an example).

Hi Daniel,

Thanks for the reply.  We're building audio DSP plugins, and we've learned (through experience) that the 
programs hosting our plugins are fairly hostile environments, so we've tried to be maximally defensive.  This 
includes statically linking copies of the small number of 3rd party libraries which we make use of (including 
libxml2).  We do take care to have our link step hide all of the libxml2 symbols, to prevent the runtime 
linker from seeing them at all.  I did this to avoid exactly the sort of problem you were mentioning, and it 
works.  As for the security errata issue, that's definitely true, but the risk in our use case is small, as 
only local FS files are processed.  There is still some risk, however.

Thanks for all your work on libxml2!
Jonah


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]