Bug#709415: lintian: false positive for hardening-no-fortify-functions
On 2013-05-23 09:18, Russ Allbery wrote:
> Package: lintian
> Version: 2.5.11
> Severity: normal
>
Hi,
Assuming you were using 2.5.11 for test, you may want to retry with
2.5.12. The latter did another false-positive -> false-negative
trade-off (memset and memmove).
> I'm getting these for a few different packages. Not sure if they're
> related, but I took a moment to track this one down. In the new
> xml-security-c 1.7.0-1, I get:
>
> W: xml-security-c-utils: hardening-no-fortify-functions usr/bin/xmlsec-xklient
>
> but the relevant build lines are:
>
> [...]
>
> so all the appropriate flags should be there.
>
> hardening-check of course has the same issue:
>
> % hardening-check xmlsec-xklient
> xmlsec-xklient:
> [...]
>
> I get the same thing from libkopenafs1:
>
> % hardening-check /usr/lib/libkopenafs.so
> /usr/lib/libkopenafs.so:
> [...]
>
> even though it's built with hardening-wrappers, although I wasn't as sure
> with it since it incorporates some assembly and I wasn't sure if that
> would confuse the check. Note that libkopenafs1 hardly calls anything in
> libc:
>
> [...]
> so I'm not sure what hardening-check has to complain about.
>
> [...]
Try running hardening-check with --verbose, this will make
hardening-check list all the "protectable" functions that appear in the
binary. Example:
"""
$ hardening-check --verbose /bin/ls
/bin/ls:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
unprotected: mempcpy
[...]
protected: mempcpy
[...]
Read-only relocations: yes
Immediate binding: no, not found!
"""
As long as there is at least 1 protected function or no unprotected
ones, Lintian should consider it "hardened".
~Niels
Reply to: