Bug#650536: [new check] test for missing hardening build flags
On Thu, Dec 08, 2011 at 12:06:37PM +0100, Niels Thykier wrote:
> I was informed (and have verified) that hardening-check uses "ldd(1)".
> Unfortunately, ldd(1) appears to be (semi-)executing the binaries it
> is run on[1]. This smells like a CVE in the making, so would it be
> possible for you to update hardening-check to use readelf instead[2]?
Yeah, I can do this manually instead of invoking ldd(1). From the
perspective of doing build checks, it seems like a non-issue, but better to
just fix it anyway. I'll update hardening-check.
--
Kees Cook @debian.org
Reply to: