[SCM] Debian package checker branch, master, updated. 2.5.11-76-g54feab1
The following commit has been merged in the master branch:
commit 54feab18ff54402ee6c897714b913f24933b3161
Author: Niels Thykier <niels@thykier.net>
Date: Fri Jan 18 15:10:13 2013 +0100
coll/hardening-info: Do another F-P -> F-N trade off
Consider memmove and memset to the "always safe" like "memcpy". This
is (another) false-positive -> false-negative trade-off for reducing
the number of false-positives with hardening-no-fortify-functions.
Signed-off-by: Niels Thykier <niels@thykier.net>
diff --git a/collection/hardening-info b/collection/hardening-info
index 23eecd3..a3343bd 100755
--- a/collection/hardening-info
+++ b/collection/hardening-info
@@ -65,7 +65,7 @@ foreach my $bin ($info->sorted_index) {
next unless $info->index ($bin)->is_file;
# Skip kernel modules - most of the checks do not apply to the
# kernel.
- next if $bin =~ m/\.ko/o;
+ next if $bin =~ m/\.ko$/o;
my $finfo = $info->file_info ($bin);
next unless $finfo =~ m/\bELF\b/o;
printf {$opts{pipe_in}} "%s\0", $bin;
diff --git a/collection/hardening-info-helper b/collection/hardening-info-helper
index deb950b..ee5159c 100755
--- a/collection/hardening-info-helper
+++ b/collection/hardening-info-helper
@@ -56,6 +56,11 @@ my @recheck = ();
# Work around bug in hardening-check when it proceses multiple binaries
# with --lintian (see #677530).
my %seen = ();
+my %whitelisted_funcs = (
+ 'memcpy' => 1,
+ 'memset' => 1,
+ 'memmove' => 1,
+);
pipe ($cread, $cwrite) or fail "pipe failed: $!";
$cpid = fork();
@@ -108,8 +113,9 @@ if (not $cpid) {
$emit = 0;
} elsif ($line =~ m/^\s+Fortify Source functions:/) {
$infsf = 1;
- } elsif ($infsf and $line =~ m/^\s+unprotected:\s*(\S+)/) {
- next if $1 eq 'memcpy';
+ } elsif ($infsf and $line =~ m/^\s+(un)?protected:\s*(\S+)/) {
+ next unless ($1//'') eq 'un';
+ next if exists $whitelisted_funcs{$2};
$emit = 1;
} else {
$infsf = 0;
diff --git a/collection/hardening-info.desc b/collection/hardening-info.desc
index 82b5838..a4a7a7a 100644
--- a/collection/hardening-info.desc
+++ b/collection/hardening-info.desc
@@ -3,5 +3,5 @@ Author: Kees Cook <kees@debian.org>
Info: This script runs hardening-check(1) over all ELF binaries of a binary
package.
Type: binary, udeb
-Version: 3
+Version: 4
Needs-Info: bin-pkg-control, file-info, index, unpacked
diff --git a/debian/changelog b/debian/changelog
index bdbccc6..9d1e68f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -55,6 +55,10 @@ lintian (2.5.12) UNRELEASED; urgency=low
not properly expand. Thanks to Bernd Zeimetz for the report.
(Closes: #683737)
+ * collection/hardening-info{,-helper,.desc}:
+ + [NT] Whitelist "memset" and "memmove" as "always safe"
+ functions. Thanks to Sebastian Ramacher for the suggestion
+ and Roland Stigge for the report. (Closes: #685299)
* collection/strings:
+ [NT] Fix a regression in filtering out "debug" ELF binaries.
--
Debian package checker
Reply to: