Re: question on hardening
Thanks to both of you, Andreas and Nicolas, for the fast help!
Then I can upload soon.
Und es begab sich am 28.05.2012 22:30, dass Nicolas Bourdaud schrieb:
> Hi Jan,
> On 28/05/2012 20:54, Jan Beyer wrote:
>> Lintian complains several times similar to this: ---------- W:
>> gwyddion: hardening-no-stackprotector
>> usr/lib/gwyddion/modules/file/ambfile.so N: N: This package
>> provides an ELF binary that lacks the stack protector N: function
>> __stack_chk_fail. Either there are no character arrays used on N:
>> the stack of any routines, or the package was not built with the
>> default N: Debian compiler flags defined by dpkg-buildflags. If
>> built using N: dpkg-buildflags directly, be sure to import CFLAGS
>> and/or CXXFLAGS. N: N: Refer to http://wiki.debian.org/Hardening
>> for details. ----------
>> When looking at the relevant section of the build-log, I feel, that
>> the -fstack-protector option is given during compile:
>> ---------- # source='ambfile.c' object='ambfile.lo' libtool=yes
>> /bin/bash ../../libtool --tag=CC --mode=compile gcc
>> -DHAVE_CONFIG_H -I. -I../.. -I../.. -DG_LOG_DOMAIN=\"Module\"
>> -D_FORTIFY_SOURCE=2 -Wall -W [...] -O2 -fstack-protector
>> --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall -c
>> -o ambfile.lo ambfile.c [...] Is it okay to ignore the Lintian
>> warning (maybe its logic is not quite perfect?) or do I need to do
>> something to really implement this correctly? There are also some
>> more lintian warnings concerning hardening-no-fortify-functions, but
>> I think, once I understood the above, these ones should work
> Don't worry the hardening is effectively enabled but there is a lot of
> false positives in those checks. As explained by the warning, if your
> library does not use any routine that is eligible for being protected
> by the stack protector, the lintian check will misinterpret the library
> as being unprotected. The same applies for fortify-functions.
> As you have correctly noted, the two hardening flags are set in the
> compilation (I have kept three lines that shows it). So you can safely
> ignore the warnings.
Jan Beyer happy Debian Maintainer ;-)
mail email@example.com GPG key ID 0x0CA6B4AA