[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#709415: lintian: false positive for hardening-no-fortify-functions

Package: lintian
Version: 2.5.11
Severity: normal

I'm getting these for a few different packages.  Not sure if they're
related, but I took a moment to track this one down.  In the new
xml-security-c 1.7.0-1, I get:

W: xml-security-c-utils: hardening-no-fortify-functions usr/bin/xmlsec-xklient

but the relevant build lines are:

g++ -DHAVE_CONFIG_H -I. -I.. -I../xsec/framework -I..  -D_FORTIFY_SOURCE=2    -Wall -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -O2 -DNDEBUG -pthread -DXSEC_LIBRARY_BUILD -c -o xklient.o `test -f 'tools/xklient/xklient.cpp' || echo './'`tools/xklient/xklient.cpp
tools/xklient/xklient.cpp: In function 'int doParsedMsgDump(xercesc_3_1::DOMDocument*)':
tools/xklient/xklient.cpp:3815:6: warning: variable 'errorsOccured' set but not used [-Wunused-but-set-variable]
/bin/sh ../libtool --tag=CXX   --mode=link g++  -Wall -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -O2 -DNDEBUG -pthread -DXSEC_LIBRARY_BUILD  -fPIE -pie -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -o xklient xklient.o libxml-security-c.la -lxerces-c -lm   -lssl -lcrypto  
libtool: link: g++ -Wall -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -O2 -DNDEBUG -pthread -DXSEC_LIBRARY_BUILD -fPIE -pie -Wl,-z -Wl,relro -Wl,-z -Wl,now -o .libs/xklient xklient.o  -Wl,--as-needed ./.libs/libxml-security-c.so -lxerces-c -lm -lssl -lcrypto -pthread

so all the appropriate flags should be there.

hardening-check of course has the same issue:

% hardening-check xmlsec-xklient 
xmlsec-xklient:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: yes
 Immediate binding: yes

I get the same thing from libkopenafs1:

% hardening-check /usr/lib/libkopenafs.so
/usr/lib/libkopenafs.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: no, not found!
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: yes
 Immediate binding: yes

even though it's built with hardening-wrappers, although I wasn't as sure
with it since it incorporates some assembly and I wasn't sure if that
would confuse the check.  Note that libkopenafs1 hardly calls anything in
libc:

Symbol table '.dynsym' contains 21 entries:
   Num:    Value  Size Type    Bind   Vis      Ndx Name
     0: 00000000     0 NOTYPE  LOCAL  DEFAULT  UND 
     1: 00000000     0 NOTYPE  WEAK   DEFAULT  UND _ITM_deregisterTMCloneTab
     2: 00000000     0 FUNC    GLOBAL DEFAULT  UND free@GLIBC_2.0 (3)
     3: 00000000     0 FUNC    GLOBAL DEFAULT  UND signal@GLIBC_2.0 (3)
     4: 00000000     0 FUNC    GLOBAL DEFAULT  UND ioctl@GLIBC_2.0 (3)
     5: 00000000     0 FUNC    WEAK   DEFAULT  UND __cxa_finalize@GLIBC_2.1.3 (4)
     6: 00000000     0 FUNC    GLOBAL DEFAULT  UND malloc@GLIBC_2.0 (3)
     7: 00000000     0 NOTYPE  WEAK   DEFAULT  UND __gmon_start__
     8: 00000000     0 FUNC    GLOBAL DEFAULT  UND open@GLIBC_2.0 (5)
     9: 00000000     0 FUNC    GLOBAL DEFAULT  UND __errno_location@GLIBC_2.0 (5)
    10: 00000000     0 FUNC    GLOBAL DEFAULT  UND syscall@GLIBC_2.0 (3)
    11: 00000000     0 FUNC    GLOBAL DEFAULT  UND getgroups@GLIBC_2.0 (3)
    12: 00000000     0 NOTYPE  WEAK   DEFAULT  UND _Jv_RegisterClasses
    13: 00000000     0 NOTYPE  WEAK   DEFAULT  UND _ITM_registerTMCloneTable
    14: 00000000     0 FUNC    GLOBAL DEFAULT  UND close@GLIBC_2.0 (5)
    15: 000008b0    86 FUNC    GLOBAL DEFAULT   12 k_unlog@@KOPENAFS_1.0
    16: 00000000     0 OBJECT  GLOBAL DEFAULT  ABS KOPENAFS_1.0
    17: 00000870    56 FUNC    GLOBAL DEFAULT   12 k_pioctl@@KOPENAFS_1.0
    18: 00000790   187 FUNC    GLOBAL DEFAULT   12 k_hasafs@@KOPENAFS_1.0
    19: 00000910   361 FUNC    GLOBAL DEFAULT   12 k_haspag@@KOPENAFS_1.0
    20: 00000850    25 FUNC    GLOBAL DEFAULT   12 k_setpag@@KOPENAFS_1.0

so I'm not sure what hardening-check has to complain about.

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.8-2-686-pae (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages lintian depends on:
ii  binutils                       2.22-8
ii  bzip2                          1.0.6-4
ii  diffstat                       1.55-3
ii  file                           1:5.11-3
ii  gettext                        0.18.1.1-10
ii  hardening-includes             2.3
ii  intltool-debian                0.35.0+20060710.1
ii  libapt-pkg-perl                0.1.28
ii  libarchive-zip-perl            1.30-6
ii  libc-bin                       2.13-38
ii  libclass-accessor-perl         0.34-1
ii  libclone-perl                  0.31-1+b2
ii  libdpkg-perl                   1.16.10
ii  libemail-valid-perl            0.190-1
ii  libipc-run-perl                0.92-1
ii  libparse-debianchangelog-perl  1.2.0-1
ii  libtext-levenshtein-perl       0.06~01-2
ii  libtimedate-perl               1.2000-1
ii  liburi-perl                    1.60-1
ii  locales                        2.17-3
ii  man-db                         2.6.3-3
ii  patchutils                     0.3.2-1.1
ii  perl [libdigest-sha-perl]      5.14.2-21
ii  t1utils                        1.37-2

lintian recommends no packages.

Versions of packages lintian suggests:
pn  binutils-multiarch     <none>
ii  dpkg-dev               1.16.10
ii  libhtml-parser-perl    3.71-1
pn  libperlio-gzip-perl    <none>
ii  libtext-template-perl  1.45-2
ii  man-db                 2.6.3-3
ii  xz-utils [lzma]        5.1.1alpha+20120614-2

-- no debconf information
Reply to: