Bug#685299: lintian: False positive from hardening-no-fortify-functions
Package: lintian
Version: 2.5.10.1
Severity: normal
Hi,
consider the following (guitarix 0.24.0-1 is in experimental):
$ lintian -i guitarix_0.24.0-1_i386.changes
W: guitarix: hardening-no-fortify-functions usr/lib/ladspa/guitarix.so
N:
N: This package provides an ELF binary that lacks the use of fortified libc
N: functions. Either there are no potentially unfortified functions called
N: by any routines, all unfortified calls have already been fully validated
N: at compile-time, or the package was not built with the default Debian
N: compiler flags defined by dpkg-buildflags. If built using
N: dpkg-buildflags directly, be sure to import CPPFLAGS.
N:
N: NB: Due to false-positives, Lintian ignores some unprotected functions
N: (e.g. memcpy).
N:
N: Refer to http://wiki.debian.org/Hardening and
N: http://bugs.debian.org/673112 for details.
N:
N: Severity: normal, Certainty: possible
N:
N: Check: binaries, Type: binary, udeb
N:
W: guitarix: hardening-no-fortify-functions usr/lib/ladspa/guitarix_IR.so
W: guitarix: hardening-no-fortify-functions usr/lib/ladspa/guitarix_amp.so
W: guitarix: hardening-no-fortify-functions usr/lib/ladspa/guitarix_compressor.so
W: guitarix: hardening-no-fortify-functions usr/lib/ladspa/guitarix_crybaby.so
W: guitarix: hardening-no-fortify-functions usr/lib/ladspa/guitarix_distortion.so
W: guitarix: hardening-no-fortify-functions usr/lib/ladspa/guitarix_echo.so
W: guitarix: hardening-no-fortify-functions usr/lib/ladspa/guitarix_freeverb.so
I already sorted out similar issues with upstream to correctly pass the correct
dpkg-buildflags to the build. But the above is still present, even though it
looks like everything (especially CPPFLAGS) is passed correctly.
See also the build log at https://buildd.debian.org/status/fetch.php?pkg=guitarix&arch=amd64&ver=0.24.0-1&stamp=1345247045
Maybe this is a false positive?
Thanks in advance,
Roland
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (x86_64)
Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages lintian depends on:
ii binutils 2.22-7.1
ii bzip2 1.0.6-3
ii diffstat 1.55-3
ii file 5.11-2
ii gettext 0.18.1.1-9
ii hardening-includes 2.2
ii intltool-debian 0.35.0+20060710.1
ii libapt-pkg-perl 0.1.26+b1
ii libarchive-zip-perl 1.30-6
ii libc-bin 2.13-35
ii libclass-accessor-perl 0.34-1
ii libclone-perl 0.31-1+b2
ii libdpkg-perl 1.16.8
ii libemail-valid-perl 0.190-1
ii libipc-run-perl 0.91-1
ii libparse-debianchangelog-perl 1.2.0-1
ii libtimedate-perl 1.2000-1
ii liburi-perl 1.60-1
ii locales 2.13-35
ii man-db 2.6.2-1
ii patchutils 0.3.2-1.1
ii perl [libdigest-sha-perl] 5.14.2-12
lintian recommends no packages.
Versions of packages lintian suggests:
pn binutils-multiarch <none>
ii dpkg-dev 1.16.8
ii libhtml-parser-perl 3.69-2
pn libperlio-gzip-perl <none>
ii libtext-template-perl 1.45-2
ii lzma 9.22-2
ii man-db 2.6.2-1
ii xz-utils [lzma] 5.1.1alpha+20120614-1
-- no debconf information
Reply to: