Bug#650536: [new check] test for missing hardening build flags
Package: lintian
Version: 2.5.4
Followup-For: Bug #650536
Hi,
I was informed (and have verified) that hardening-check uses "ldd(1)".
Unfortunately, ldd(1) appears to be (semi-)executing the binaries it
is run on[1]. This smells like a CVE in the making, so would it be
possible for you to update hardening-check to use readelf instead[2]?
~Niels
[1] Quote /usr/bin/ldd:
"""
# This is the `ldd' command, which lists what shared libraries are
# used by given dynamically-linked executables. It works by invoking the
# run-time dynamic linker as a command and setting the environment
# variable LD_TRACE_LOADED_OBJECTS to a non-empty value.
"""
Also take a look at #514408.
[2] objdump might work as well, but we are slowly migrating away from
it due to issues like #604047.
Reply to: