Bug#695319: lintian: False positive: hardening-no-fortify-functions

To: 695319@bugs.debian.org
Subject: Bug#695319: lintian: False positive: hardening-no-fortify-functions
From: Benjamin Drung <bdrung@debian.org>
Date: Sat, 19 Jan 2013 00:37:32 +0100
Message-id: <[🔎] 1358552252.3810.30.camel@deep-thought>
Reply-to: Benjamin Drung <bdrung@debian.org>, 695319@bugs.debian.org
In-reply-to: <[🔎] 50F98325.9050309@thykier.net>
References: <1354839860.3710.1.camel@deep-thought> <[🔎] 50F98325.9050309@thykier.net>

Am Freitag, den 18.01.2013, 18:15 +0100 schrieb Niels Thykier:
> Control: forcemerge 685299 -1
> 
> On 2012-12-07 01:24, Benjamin Drung wrote:
> > Package: lintian
> > Version: 2.5.10.2
> > Severity: normal
> > 
> > Dear Maintainer,
> > 
> > lintian produces inter alia following output for VLC:
> > 
> > $ lintian vlc_2.0.3-4_amd64.changes 
> > [...]
> > 
> > The hardening dpkg-buildflags are passed to the build system. The build log
> > looks like everything (including CPPFLAGS) is handled correctly. Most of the
> > vlc plugins are correctly detected to use fortified libc functions. I see no
> > difference in the logs between to detected and non detected plugins. Therefore
> > I assume that the lintian warnings are false positives.
> > 
> > Versions of packages lintian depends on:
> > ii  hardening-includes             2.2
> > 
> 
> The majority (but not all) of the tags have disappeared with the fix for
> #685299.  Though I cannot fix all them without completely neutering the
> check.

Thanks. The current git version of lintian (29bd97f6) reduces the number
of hardening-no-fortify-functions warnings from 61 to 14. Attached the
verbose log from hardening-check for the remaining 14 plugins. Should I
override these warnings?

-- 
Benjamin Drung
Debian & Ubuntu Developer

$ for i in usr/lib/vlc/plugins/access/libpulsesrc_plugin.so usr/lib/vlc/plugins/audio_output/libpulse_plugin.so usr/lib/vlc/plugins/video_output/libxcb_window_plugin.so usr/lib/vlc/plugins/access/libaccess_mtp_plugin.so usr/lib/vlc/plugins/access/libaccess_oss_plugin.so usr/lib/vlc/plugins/access/libdc1394_plugin.so usr/lib/vlc/plugins/access/liblibbluray_plugin.so usr/lib/vlc/plugins/access_output/libaccess_output_file_plugin.so usr/lib/vlc/plugins/access_output/libaccess_output_http_plugin.so usr/lib/vlc/plugins/control/libnetsync_plugin.so usr/lib/vlc/plugins/demux/libmjpeg_plugin.so usr/lib/vlc/plugins/services_discovery/libpodcast_plugin.so usr/lib/vlc/plugins/stream_out/libstream_out_langfromtelx_plugin.so usr/lib/vlc/plugins/stream_out/libstream_out_select_plugin.so; do hardening-check --verbose $i; done
usr/lib/vlc/plugins/access/libpulsesrc_plugin.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: no, not found!
 Fortify Source functions: no, only unprotected functions found!
	unprotected: gethostname
 Read-only relocations: yes
 Immediate binding: no, not found!
usr/lib/vlc/plugins/audio_output/libpulse_plugin.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: no, not found!
 Fortify Source functions: no, only unprotected functions found!
	unprotected: gethostname
 Read-only relocations: yes
 Immediate binding: no, not found!
usr/lib/vlc/plugins/video_output/libxcb_window_plugin.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
	unprotected: gethostname
 Read-only relocations: yes
 Immediate binding: no, not found!
usr/lib/vlc/plugins/access/libaccess_mtp_plugin.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: no, not found!
 Fortify Source functions: no, only unprotected functions found!
	unprotected: read
 Read-only relocations: yes
 Immediate binding: no, not found!
usr/lib/vlc/plugins/access/libaccess_oss_plugin.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: no, not found!
 Fortify Source functions: no, only unprotected functions found!
	unprotected: read
 Read-only relocations: yes
 Immediate binding: no, not found!
usr/lib/vlc/plugins/access/libdc1394_plugin.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: no, not found!
 Fortify Source functions: no, only unprotected functions found!
	unprotected: read
	unprotected: memcpy
 Read-only relocations: yes
 Immediate binding: no, not found!
usr/lib/vlc/plugins/access/liblibbluray_plugin.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
	unprotected: strncpy
	unprotected: memset
	unprotected: realpath
	unprotected: memcpy
 Read-only relocations: yes
 Immediate binding: no, not found!
usr/lib/vlc/plugins/access_output/libaccess_output_file_plugin.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: no, not found!
 Fortify Source functions: no, only unprotected functions found!
	unprotected: read
 Read-only relocations: yes
 Immediate binding: no, not found!
usr/lib/vlc/plugins/access_output/libaccess_output_http_plugin.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: no, not found!
 Fortify Source functions: no, only unprotected functions found!
	unprotected: strncpy
	unprotected: memcpy
 Read-only relocations: yes
 Immediate binding: no, not found!
usr/lib/vlc/plugins/control/libnetsync_plugin.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: no, not found!
 Fortify Source functions: no, only unprotected functions found!
	unprotected: recvfrom
	unprotected: recv
 Read-only relocations: yes
 Immediate binding: no, not found!
usr/lib/vlc/plugins/demux/libmjpeg_plugin.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: no, not found!
 Fortify Source functions: no, only unprotected functions found!
	unprotected: strncpy
 Read-only relocations: yes
 Immediate binding: no, not found!
usr/lib/vlc/plugins/services_discovery/libpodcast_plugin.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: no, not found!
 Fortify Source functions: no, only unprotected functions found!
	unprotected: memmove
	unprotected: stpcpy
 Read-only relocations: yes
 Immediate binding: no, not found!
usr/lib/vlc/plugins/stream_out/libstream_out_langfromtelx_plugin.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
	unprotected: strncpy
 Read-only relocations: yes
 Immediate binding: no, not found!
usr/lib/vlc/plugins/stream_out/libstream_out_select_plugin.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
	unprotected: memmove
	unprotected: recv
 Read-only relocations: yes
 Immediate binding: no, not found!

Reply to:

Follow-Ups:
- Bug#695319: lintian: False positive: hardening-no-fortify-functions
  - From: Niels Thykier <niels@thykier.net>

References:
- Bug#695319: lintian: False positive: hardening-no-fortify-functions
  - From: Niels Thykier <niels@thykier.net>

Prev by Date: Processed: limit source to lintian, tagging 670963
Next by Date: [SCM] Debian package checker branch, master, updated. 2.5.11-84-g705577d
Previous by thread: Processed: Re: Bug#695319: lintian: False positive: hardening-no-fortify-functions
Next by thread: Bug#695319: lintian: False positive: hardening-no-fortify-functions
Index(es):
- Date
- Thread