[SCM] Debian package checker branch, master, updated. 2.5.7-21-gb20866d
The following commit has been merged in the master branch:
commit b20866df84eed2771e1197b714339a329b092c78
Author: Niels Thykier <niels@thykier.net>
Date: Sun May 27 08:40:54 2012 +0200
coll/hardening: Skip some no-fort-func
Do not emit hardening-no-fortify-functions for binaries if their only
unprotected function is memcpy. This is a "false-positive ->
false-negative" trade off. However it greatly reduces the number of
false positives due to how gcc-4.7 (at -O2 or higher) optimizes
binaries.
Please refer to #673112 (comment #45) for more information on this.
Signed-off-by: Niels Thykier <niels@thykier.net>
diff --git a/checks/binaries.desc b/checks/binaries.desc
index e621a5d..9a81f60 100644
--- a/checks/binaries.desc
+++ b/checks/binaries.desc
@@ -320,7 +320,10 @@ Info: This package provides an ELF binary that lacks the use of fortified
validated at compile-time, or the package was not built with the default
Debian compiler flags defined by <tt>dpkg-buildflags</tt>. If built using
<tt>dpkg-buildflags</tt> directly, be sure to import <tt>CPPFLAGS</tt>.
-Ref: http://wiki.debian.org/Hardening
+ .
+ NB: Due to false-positives, Lintian ignores some unprotected functions
+ (e.g. memcpy).
+Ref: http://wiki.debian.org/Hardening, #673112
Tag: hardening-no-relro
Severity: normal
diff --git a/collection/hardening-info b/collection/hardening-info
index a8a932d..80b711e 100755
--- a/collection/hardening-info
+++ b/collection/hardening-info
@@ -51,11 +51,24 @@ chdir ("$dir/unpacked")
foreach my $bin (keys %$file_info) {
my $finfo = $file_info->{$bin};
next unless $finfo =~ m/\bELF\b/o;
- if (open (PIPE, '-|', "hardening-check --lintian -- \Q$bin\E 2>&1")) {
- local $/;
- local $_ = <PIPE>;
- print OUT $_;
- close PIPE;
+ if (open (my $pipe, '-|', "hardening-check --lintian -- \Q$bin\E 2>&1")) {
+ while ( my $line = <$pipe> ) {
+ my $emit = 1;
+ if ($line =~ m/^no-fortify-functions:/o ) {
+ $emit = 0;
+ open my $p2, '-|', "hardening-check --verbose -- \Q$bin\E 2>&1" or fail "hardening-check: $!";
+ while ( my $l2 = <$p2> ) {
+ if ($l2 =~ m/^\s+unprotected:\s*(\S+)/) {
+ next if $1 eq 'memcpy';
+ $emit = 1;
+ last;
+ }
+ }
+ close $p2;
+ }
+ print OUT $line if $emit;
+ }
+ close $pipe;
}
}
diff --git a/collection/hardening-info.desc b/collection/hardening-info.desc
index ee051fe..5b9a29a 100644
--- a/collection/hardening-info.desc
+++ b/collection/hardening-info.desc
@@ -3,5 +3,5 @@ Author: Kees Cook <kees@debian.org>
Info: This script runs hardening-check(1) over all ELF binaries of a binary
package.
Type: binary, udeb
-Version: 1
+Version: 2
Needs-Info: bin-pkg-control, file-info, unpacked
diff --git a/debian/changelog b/debian/changelog
index f6d4341..441a993 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,10 @@ lintian (2.5.8) UNRELEASED; urgency=low
(Closes: #673106)
+ [NT] Demote certainty of hardening-no-stackprotector to
wild-guess and move it to debian/extra-hardening profile.
+ + [NT] Skip hardening-no-fortify-functions for binaries only
+ using the unprotected memcpy. This greatly reduces the
+ number of false positives for binaries compiled with
+ gcc-4.7 -O2 (or higher optimization). (Closes: #673112)
* checks/files:
+ [NT] Properly handle symlinks in icon directories. Thanks
to Nicholas Breen for the report and Felix Geyer for the
--
Debian package checker
Reply to: