Bug#685299: lintian: False positive from hardening-no-fortify-functions

[Roland Stigge <stigge@antcom.de>]

Hi,

On 01/18/2013 12:51 PM, Niels Thykier wrote:
> On 2012-08-19 13:47, Roland Stigge wrote:
>> Package: lintian
>> Version: 2.5.10.1
>> Severity: normal
>>
>> Hi,
>>
>> consider the following (guitarix 0.24.0-1 is in experimental):
>>
>> $ lintian -i guitarix_0.24.0-1_i386.changes 
>> [...]
>>
>> I already sorted out similar issues with upstream to correctly pass the correct
>> dpkg-buildflags to the build. But the above is still present, even though it
>> looks like everything (especially CPPFLAGS) is passed correctly.
>>
>> See also the build log at https://buildd.debian.org/status/fetch.php?pkg=guitarix&arch=amd64&ver=0.24.0-1&stamp=1345247045
>>
>> Maybe this is a false positive?
>>
>> Thanks in advance,
>>
>> Roland 
>> [...]
> 
> Hi,
> 
> It is quite likely to be a false-positive, but Lintian does not have
> enough information to deduce that.
>   Can you please run hardening-check --verbose on those binaries and
> give return the result.

All reported files basically do like this:

$ hardening-check --verbose ./debian/guitarix/usr/lib/ladspa/guitarix.so
./debian/guitarix/usr/lib/ladspa/guitarix.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: no, not found!
 Fortify Source functions: no, only unprotected functions found!
	unprotected: memset
	unprotected: memmove
 Read-only relocations: yes
 Immediate binding: no, not found!
$

What would you suggest here?

Thanks in advance,

Roland