Bug#709415: lintian: false positive for hardening-no-fortify-functions
Package: lintian
Version: 2.5.11
Severity: normal
I'm getting these for a few different packages. Not sure if they're
related, but I took a moment to track this one down. In the new
xml-security-c 1.7.0-1, I get:
W: xml-security-c-utils: hardening-no-fortify-functions usr/bin/xmlsec-xklient
but the relevant build lines are:
g++ -DHAVE_CONFIG_H -I. -I.. -I../xsec/framework -I.. -D_FORTIFY_SOURCE=2 -Wall -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -O2 -DNDEBUG -pthread -DXSEC_LIBRARY_BUILD -c -o xklient.o `test -f 'tools/xklient/xklient.cpp' || echo './'`tools/xklient/xklient.cpp
tools/xklient/xklient.cpp: In function 'int doParsedMsgDump(xercesc_3_1::DOMDocument*)':
tools/xklient/xklient.cpp:3815:6: warning: variable 'errorsOccured' set but not used [-Wunused-but-set-variable]
/bin/sh ../libtool --tag=CXX --mode=link g++ -Wall -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -O2 -DNDEBUG -pthread -DXSEC_LIBRARY_BUILD -fPIE -pie -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -o xklient xklient.o libxml-security-c.la -lxerces-c -lm -lssl -lcrypto
libtool: link: g++ -Wall -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -O2 -DNDEBUG -pthread -DXSEC_LIBRARY_BUILD -fPIE -pie -Wl,-z -Wl,relro -Wl,-z -Wl,now -o .libs/xklient xklient.o -Wl,--as-needed ./.libs/libxml-security-c.so -lxerces-c -lm -lssl -lcrypto -pthread
so all the appropriate flags should be there.
hardening-check of course has the same issue:
% hardening-check xmlsec-xklient
xmlsec-xklient:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: yes
I get the same thing from libkopenafs1:
% hardening-check /usr/lib/libkopenafs.so
/usr/lib/libkopenafs.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: yes
even though it's built with hardening-wrappers, although I wasn't as sure
with it since it incorporates some assembly and I wasn't sure if that
would confuse the check. Note that libkopenafs1 hardly calls anything in
libc:
Symbol table '.dynsym' contains 21 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 00000000 0 NOTYPE LOCAL DEFAULT UND
1: 00000000 0 NOTYPE WEAK DEFAULT UND _ITM_deregisterTMCloneTab
2: 00000000 0 FUNC GLOBAL DEFAULT UND free@GLIBC_2.0 (3)
3: 00000000 0 FUNC GLOBAL DEFAULT UND signal@GLIBC_2.0 (3)
4: 00000000 0 FUNC GLOBAL DEFAULT UND ioctl@GLIBC_2.0 (3)
5: 00000000 0 FUNC WEAK DEFAULT UND __cxa_finalize@GLIBC_2.1.3 (4)
6: 00000000 0 FUNC GLOBAL DEFAULT UND malloc@GLIBC_2.0 (3)
7: 00000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__
8: 00000000 0 FUNC GLOBAL DEFAULT UND open@GLIBC_2.0 (5)
9: 00000000 0 FUNC GLOBAL DEFAULT UND __errno_location@GLIBC_2.0 (5)
10: 00000000 0 FUNC GLOBAL DEFAULT UND syscall@GLIBC_2.0 (3)
11: 00000000 0 FUNC GLOBAL DEFAULT UND getgroups@GLIBC_2.0 (3)
12: 00000000 0 NOTYPE WEAK DEFAULT UND _Jv_RegisterClasses
13: 00000000 0 NOTYPE WEAK DEFAULT UND _ITM_registerTMCloneTable
14: 00000000 0 FUNC GLOBAL DEFAULT UND close@GLIBC_2.0 (5)
15: 000008b0 86 FUNC GLOBAL DEFAULT 12 k_unlog@@KOPENAFS_1.0
16: 00000000 0 OBJECT GLOBAL DEFAULT ABS KOPENAFS_1.0
17: 00000870 56 FUNC GLOBAL DEFAULT 12 k_pioctl@@KOPENAFS_1.0
18: 00000790 187 FUNC GLOBAL DEFAULT 12 k_hasafs@@KOPENAFS_1.0
19: 00000910 361 FUNC GLOBAL DEFAULT 12 k_haspag@@KOPENAFS_1.0
20: 00000850 25 FUNC GLOBAL DEFAULT 12 k_setpag@@KOPENAFS_1.0
so I'm not sure what hardening-check has to complain about.
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 3.8-2-686-pae (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages lintian depends on:
ii binutils 2.22-8
ii bzip2 1.0.6-4
ii diffstat 1.55-3
ii file 1:5.11-3
ii gettext 0.18.1.1-10
ii hardening-includes 2.3
ii intltool-debian 0.35.0+20060710.1
ii libapt-pkg-perl 0.1.28
ii libarchive-zip-perl 1.30-6
ii libc-bin 2.13-38
ii libclass-accessor-perl 0.34-1
ii libclone-perl 0.31-1+b2
ii libdpkg-perl 1.16.10
ii libemail-valid-perl 0.190-1
ii libipc-run-perl 0.92-1
ii libparse-debianchangelog-perl 1.2.0-1
ii libtext-levenshtein-perl 0.06~01-2
ii libtimedate-perl 1.2000-1
ii liburi-perl 1.60-1
ii locales 2.17-3
ii man-db 2.6.3-3
ii patchutils 0.3.2-1.1
ii perl [libdigest-sha-perl] 5.14.2-21
ii t1utils 1.37-2
lintian recommends no packages.
Versions of packages lintian suggests:
pn binutils-multiarch <none>
ii dpkg-dev 1.16.10
ii libhtml-parser-perl 3.71-1
pn libperlio-gzip-perl <none>
ii libtext-template-perl 1.45-2
ii man-db 2.6.3-3
ii xz-utils [lzma] 5.1.1alpha+20120614-2
-- no debconf information
Reply to: