Bug#650536: [new check] test for missing hardening build flags

To: Niels Thykier <niels@thykier.net>
Cc: Debian Bug Tracking System <650536@bugs.debian.org>, Alexander Reichle-Schmehl <tolimar@debian.org>
Subject: Bug#650536: [new check] test for missing hardening build flags
From: Kees Cook <kees@debian.org>
Date: Thu, 8 Dec 2011 14:51:07 -0800
Message-id: <[🔎] 20111208225107.GB5169@outflux.net>
Reply-to: Kees Cook <kees@debian.org>, 650536@bugs.debian.org
In-reply-to: <[🔎] 20111208110637.80FDB47BB6@thykier.net>
References: <[🔎] 20111208110637.80FDB47BB6@thykier.net>

On Thu, Dec 08, 2011 at 12:06:37PM +0100, Niels Thykier wrote:
> I was informed (and have verified) that hardening-check uses "ldd(1)".
> Unfortunately, ldd(1) appears to be (semi-)executing the binaries it
> is run on[1].  This smells like a CVE in the making, so would it be
> possible for you to update hardening-check to use readelf instead[2]?

Yeah, I can do this manually instead of invoking ldd(1). From the
perspective of doing build checks, it seems like a non-issue, but better to
just fix it anyway. I'll update hardening-check.

-- 
Kees Cook                                            @debian.org

Reply to:

References:
- Bug#650536: [new check] test for missing hardening build flags
  - From: Niels Thykier <niels@thykier.net>

Prev by Date: Bug#650536: [new check] test for missing hardening build flags
Next by Date: Bug#650536: [new check] test for missing hardening build flags
Previous by thread: Bug#650536: [new check] test for missing hardening build flags
Next by thread: Bug#651392: lintian: unversioned-copyright-format-uri references 404 http://anonscm.debian.org/viewvc/dep/web/deps/dep5.mdwn
Index(es):
- Date
- Thread