[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#685299: lintian: False positive from hardening-no-fortify-functions

Package: lintian
Version: 2.5.10.1
Severity: normal

Hi,

consider the following (guitarix 0.24.0-1 is in experimental):

$ lintian -i guitarix_0.24.0-1_i386.changes 
W: guitarix: hardening-no-fortify-functions usr/lib/ladspa/guitarix.so
N: 
N:    This package provides an ELF binary that lacks the use of fortified libc
N:    functions. Either there are no potentially unfortified functions called
N:    by any routines, all unfortified calls have already been fully validated
N:    at compile-time, or the package was not built with the default Debian
N:    compiler flags defined by dpkg-buildflags. If built using
N:    dpkg-buildflags directly, be sure to import CPPFLAGS.
N:    
N:    NB: Due to false-positives, Lintian ignores some unprotected functions
N:    (e.g. memcpy).
N:    
N:    Refer to http://wiki.debian.org/Hardening and
N:    http://bugs.debian.org/673112 for details.
N:    
N:    Severity: normal, Certainty: possible
N:    
N:    Check: binaries, Type: binary, udeb
N: 
W: guitarix: hardening-no-fortify-functions usr/lib/ladspa/guitarix_IR.so
W: guitarix: hardening-no-fortify-functions usr/lib/ladspa/guitarix_amp.so
W: guitarix: hardening-no-fortify-functions usr/lib/ladspa/guitarix_compressor.so
W: guitarix: hardening-no-fortify-functions usr/lib/ladspa/guitarix_crybaby.so
W: guitarix: hardening-no-fortify-functions usr/lib/ladspa/guitarix_distortion.so
W: guitarix: hardening-no-fortify-functions usr/lib/ladspa/guitarix_echo.so
W: guitarix: hardening-no-fortify-functions usr/lib/ladspa/guitarix_freeverb.so

I already sorted out similar issues with upstream to correctly pass the correct
dpkg-buildflags to the build. But the above is still present, even though it
looks like everything (especially CPPFLAGS) is passed correctly.

See also the build log at https://buildd.debian.org/status/fetch.php?pkg=guitarix&arch=amd64&ver=0.24.0-1&stamp=1345247045

Maybe this is a false positive?

Thanks in advance,

Roland


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages lintian depends on:
ii  binutils                       2.22-7.1
ii  bzip2                          1.0.6-3
ii  diffstat                       1.55-3
ii  file                           5.11-2
ii  gettext                        0.18.1.1-9
ii  hardening-includes             2.2
ii  intltool-debian                0.35.0+20060710.1
ii  libapt-pkg-perl                0.1.26+b1
ii  libarchive-zip-perl            1.30-6
ii  libc-bin                       2.13-35
ii  libclass-accessor-perl         0.34-1
ii  libclone-perl                  0.31-1+b2
ii  libdpkg-perl                   1.16.8
ii  libemail-valid-perl            0.190-1
ii  libipc-run-perl                0.91-1
ii  libparse-debianchangelog-perl  1.2.0-1
ii  libtimedate-perl               1.2000-1
ii  liburi-perl                    1.60-1
ii  locales                        2.13-35
ii  man-db                         2.6.2-1
ii  patchutils                     0.3.2-1.1
ii  perl [libdigest-sha-perl]      5.14.2-12

lintian recommends no packages.

Versions of packages lintian suggests:
pn  binutils-multiarch     <none>
ii  dpkg-dev               1.16.8
ii  libhtml-parser-perl    3.69-2
pn  libperlio-gzip-perl    <none>
ii  libtext-template-perl  1.45-2
ii  lzma                   9.22-2
ii  man-db                 2.6.2-1
ii  xz-utils [lzma]        5.1.1alpha+20120614-1

-- no debconf information
Reply to: