Bug#673112: lintian: hardening-no-stackprotector check has many false positives
On 2012-05-21 20:25, Modestas Vainius wrote:
> Hello,
>
Hi,
For the record, I have just demoted no-stackprotector to a wild-guess
(thus, it is now an I tag) and moved it to a separate profile
(debian/extra-hardening) so it is no longer enabled by default.
> On šeštadienis 19 Gegužė 2012 19:49:14 Russ Allbery wrote:
>> Sven Joachim <svenjoac@gmx.de> writes:
>>> Easier said then done, how should I override this warning:
>>>
>>> ,----
>>>
>>> | W: libncurses5: hardening-no-fortify-functions
>>> | usr/lib/i386-linux-gnu/libmenu.so.5.9
>>>
>>> `----
>>
>> libncurses5 binary: hardening-no-fortify-functions usr/lib/*/libmenu.so.*
>
> Well, I get this "nice" lintian output:
>
> $ lintian -I amarok_2.5.0-2_amd64.changes
> [...]
>
> This is like 90 false positives in a single source package, it makes lintian
> output unreadable. I don't know how this hardening stuff is detected but I
> suspect this failure might be because the package is built with
> -fvisibility=hidden. If so, all KDE packages will suffer, and badly.
>
> [...]
We use hardening-check (from hardening-includes) - as I recall it
carries a list of "unprotected functions" and checks for them (via
readelf). It maps them to a "safe-variant" and checks for that as well.
If both protected and unprotected are used or if no unprotected
functions are used, it should mark it safe. However, I believe Kees
(CC'ed) can correct me on (or confirm) the above.
~Niels
Reply to: