Bug#921136: lintian: hardening-no-fortify-functions possible false positive
On Tue, Oct 29, 2019 at 11:05:02PM -0400, Scott Talbert wrote:
> On Wed, 30 Oct 2019, Olly Betts wrote:
>
> > The same issue applies to memcpy() which is why it's deliberately from
> > lintian's list:
> >
> > https://sources.debian.org/src/lintian/2.31.0/data/binaries/hardened-functions/?hl=6#L6
> >
> > Presumably wmemcpy() is simply much less widely used than memcpy(), and
> > that's the only reason it's not also omitted already.
>
> Thanks for the details, Olly. So, what you're saying is that wmemcpy should
> be excluded from hardened-functions?
Yes. Probably wmemset and wmemmove should be too. The history of
this seems to be in #673112 (don't be misled by the bug title!)
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673112#67 suggests
that perhaps recvfrom, recv and read ought to be as well.
The whole approach seems a bit flawed though - the
hardening-no-fortify-functions description says:
| Either there are no potentially unfortified functions called by any
| routines, all unfortified calls have already been fully validated at
| compile-time, or the package was not built with the default Debian
| compiler flags defined by dpkg-buildflags
One of the first two cases seems to often be true for a lot of C++
code.
I thought I read ages ago about an idea to record the hardening flags as
notes in the compiled files, which seemed a much more satisfactory
approach, but I guess nothing ever came of it.
Cheers,
Olly
Reply to: