Bug#650536: [new check] test for missing hardening build flags

To: Debian Bug Tracking System <650536@bugs.debian.org>, Alexander Reichle-Schmehl <tolimar@debian.org>, Kees Cook <kees@debian.org>
Subject: Bug#650536: [new check] test for missing hardening build flags
From: Niels Thykier <niels@thykier.net>
Date: Thu, 8 Dec 2011 12:06:37 +0100 (CET)
Message-id: <[🔎] 20111208110637.80FDB47BB6@thykier.net>
Reply-to: Niels Thykier <niels@thykier.net>, 650536@bugs.debian.org

Package: lintian
Version: 2.5.4
Followup-For: Bug #650536

Hi,

I was informed (and have verified) that hardening-check uses "ldd(1)".
Unfortunately, ldd(1) appears to be (semi-)executing the binaries it
is run on[1].  This smells like a CVE in the making, so would it be
possible for you to update hardening-check to use readelf instead[2]?

~Niels


[1] Quote /usr/bin/ldd:
"""
# This is the `ldd' command, which lists what shared libraries are
# used by given dynamically-linked executables.  It works by invoking the
# run-time dynamic linker as a command and setting the environment
# variable LD_TRACE_LOADED_OBJECTS to a non-empty value.
"""

Also take a look at #514408.

[2] objdump might work as well, but we are slowly migrating away from
it due to issues like #604047.

Reply to:

Follow-Ups:
- Bug#650536: [new check] test for missing hardening build flags
  - From: Jakub Wilk <jwilk@debian.org>
- Bug#650536: [new check] test for missing hardening build flags
  - From: Kees Cook <kees@debian.org>

Prev by Date: [SCM] Debian package checker branch, master, updated. 2.5.4-38-gb08ea61
Next by Date: Bug#651392: lintian: unversioned-copyright-format-uri references 404 http://anonscm.debian.org/viewvc/dep/web/deps/dep5.mdwn
Previous by thread: [SCM] Debian package checker branch, master, updated. 2.5.4-38-gb08ea61
Next by thread: Bug#650536: [new check] test for missing hardening build flags
Index(es):
- Date
- Thread