Bug#695319: lintian: False positive: hardening-no-fortify-functions
Am Freitag, den 18.01.2013, 18:15 +0100 schrieb Niels Thykier:
> Control: forcemerge 685299 -1
>
> On 2012-12-07 01:24, Benjamin Drung wrote:
> > Package: lintian
> > Version: 2.5.10.2
> > Severity: normal
> >
> > Dear Maintainer,
> >
> > lintian produces inter alia following output for VLC:
> >
> > $ lintian vlc_2.0.3-4_amd64.changes
> > [...]
> >
> > The hardening dpkg-buildflags are passed to the build system. The build log
> > looks like everything (including CPPFLAGS) is handled correctly. Most of the
> > vlc plugins are correctly detected to use fortified libc functions. I see no
> > difference in the logs between to detected and non detected plugins. Therefore
> > I assume that the lintian warnings are false positives.
> >
> > Versions of packages lintian depends on:
> > ii hardening-includes 2.2
> >
>
> The majority (but not all) of the tags have disappeared with the fix for
> #685299. Though I cannot fix all them without completely neutering the
> check.
Thanks. The current git version of lintian (29bd97f6) reduces the number
of hardening-no-fortify-functions warnings from 61 to 14. Attached the
verbose log from hardening-check for the remaining 14 plugins. Should I
override these warnings?
--
Benjamin Drung
Debian & Ubuntu Developer
$ for i in usr/lib/vlc/plugins/access/libpulsesrc_plugin.so usr/lib/vlc/plugins/audio_output/libpulse_plugin.so usr/lib/vlc/plugins/video_output/libxcb_window_plugin.so usr/lib/vlc/plugins/access/libaccess_mtp_plugin.so usr/lib/vlc/plugins/access/libaccess_oss_plugin.so usr/lib/vlc/plugins/access/libdc1394_plugin.so usr/lib/vlc/plugins/access/liblibbluray_plugin.so usr/lib/vlc/plugins/access_output/libaccess_output_file_plugin.so usr/lib/vlc/plugins/access_output/libaccess_output_http_plugin.so usr/lib/vlc/plugins/control/libnetsync_plugin.so usr/lib/vlc/plugins/demux/libmjpeg_plugin.so usr/lib/vlc/plugins/services_discovery/libpodcast_plugin.so usr/lib/vlc/plugins/stream_out/libstream_out_langfromtelx_plugin.so usr/lib/vlc/plugins/stream_out/libstream_out_select_plugin.so; do hardening-check --verbose $i; done
usr/lib/vlc/plugins/access/libpulsesrc_plugin.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
unprotected: gethostname
Read-only relocations: yes
Immediate binding: no, not found!
usr/lib/vlc/plugins/audio_output/libpulse_plugin.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
unprotected: gethostname
Read-only relocations: yes
Immediate binding: no, not found!
usr/lib/vlc/plugins/video_output/libxcb_window_plugin.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
unprotected: gethostname
Read-only relocations: yes
Immediate binding: no, not found!
usr/lib/vlc/plugins/access/libaccess_mtp_plugin.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
unprotected: read
Read-only relocations: yes
Immediate binding: no, not found!
usr/lib/vlc/plugins/access/libaccess_oss_plugin.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
unprotected: read
Read-only relocations: yes
Immediate binding: no, not found!
usr/lib/vlc/plugins/access/libdc1394_plugin.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
unprotected: read
unprotected: memcpy
Read-only relocations: yes
Immediate binding: no, not found!
usr/lib/vlc/plugins/access/liblibbluray_plugin.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
unprotected: strncpy
unprotected: memset
unprotected: realpath
unprotected: memcpy
Read-only relocations: yes
Immediate binding: no, not found!
usr/lib/vlc/plugins/access_output/libaccess_output_file_plugin.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
unprotected: read
Read-only relocations: yes
Immediate binding: no, not found!
usr/lib/vlc/plugins/access_output/libaccess_output_http_plugin.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
unprotected: strncpy
unprotected: memcpy
Read-only relocations: yes
Immediate binding: no, not found!
usr/lib/vlc/plugins/control/libnetsync_plugin.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
unprotected: recvfrom
unprotected: recv
Read-only relocations: yes
Immediate binding: no, not found!
usr/lib/vlc/plugins/demux/libmjpeg_plugin.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
unprotected: strncpy
Read-only relocations: yes
Immediate binding: no, not found!
usr/lib/vlc/plugins/services_discovery/libpodcast_plugin.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
unprotected: memmove
unprotected: stpcpy
Read-only relocations: yes
Immediate binding: no, not found!
usr/lib/vlc/plugins/stream_out/libstream_out_langfromtelx_plugin.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
unprotected: strncpy
Read-only relocations: yes
Immediate binding: no, not found!
usr/lib/vlc/plugins/stream_out/libstream_out_select_plugin.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
unprotected: memmove
unprotected: recv
Read-only relocations: yes
Immediate binding: no, not found!
Reply to: