Bug#685299: lintian: False positive from hardening-no-fortify-functions
Hi,
On 01/18/2013 12:51 PM, Niels Thykier wrote:
> On 2012-08-19 13:47, Roland Stigge wrote:
>> Package: lintian
>> Version: 2.5.10.1
>> Severity: normal
>>
>> Hi,
>>
>> consider the following (guitarix 0.24.0-1 is in experimental):
>>
>> $ lintian -i guitarix_0.24.0-1_i386.changes
>> [...]
>>
>> I already sorted out similar issues with upstream to correctly pass the correct
>> dpkg-buildflags to the build. But the above is still present, even though it
>> looks like everything (especially CPPFLAGS) is passed correctly.
>>
>> See also the build log at https://buildd.debian.org/status/fetch.php?pkg=guitarix&arch=amd64&ver=0.24.0-1&stamp=1345247045
>>
>> Maybe this is a false positive?
>>
>> Thanks in advance,
>>
>> Roland
>> [...]
>
> Hi,
>
> It is quite likely to be a false-positive, but Lintian does not have
> enough information to deduce that.
> Can you please run hardening-check --verbose on those binaries and
> give return the result.
All reported files basically do like this:
$ hardening-check --verbose ./debian/guitarix/usr/lib/ladspa/guitarix.so
./debian/guitarix/usr/lib/ladspa/guitarix.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
unprotected: memset
unprotected: memmove
Read-only relocations: yes
Immediate binding: no, not found!
$
What would you suggest here?
Thanks in advance,
Roland
Reply to: