[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Can not disable lintian Information hardening-no-fortify-functions usr/bin/at



On Thu, 30 Jun 2016 at 16:31:43 +0100, Jose M Calhariz wrote:
> On Thu, Jun 30, 2016 at 02:59:39PM +0000, Niels Thykier wrote:
> > Please verify that the CPPFLAGS are passed to the compiler (a lot of
> > build systems fail to pass exactly CPPFLAGS on).

What Niels said. This appears to be exactly the bug here.

You can either modify the build system to take CPPFLAGS from the
environment, or do something like CFLAGS += $(CPPFLAGS) in debian/rules.

>  Fortify Source functions: no, only unprotected functions found!

This looks like the lintian tag is justified. There are three
possibilities for "fortify":

- the binary does not call any functions that have a "fortified" version
  so there is nothing to do;
- the binary calls functions that have a "fortified" version and gets the
  "fortified" version;
- the binary calls functions that have a "fortified" version but gets the
  original (unhardened) version

This looks like you're in the third possibility.

> gcc -c -I. -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -DHAVE_CONFIG_H -DVERSION=\"3.1.19\" -DETCDIR=\"/etc\" -DLOADAVG_MX=1.5 -DDAEMON_USERNAME=\"daemon\" -DDAEMON_GROUPNAME=\"daemon\" -DLFILE=\"/var/spool/cron/atjobs/.SEQ\" -Wall at.c
> 
> The flags are enabled and most protections are in place, right?

Not all. You should also be seeing -D_FORTIFY_SOURCE=2.

(blhc would probably have told you that.)

    S


Reply to: