Your message dated Mon, 16 Dec 2019 14:59:27 -0800 with message-id <CAFHYt55_6FaH2uiY0HB+n-m_dJAfFJuPR7VZ6A1XcYkDeQ089Q@mail.gmail.com> and subject line Re: Bug#926060: lintian: portable-executable-missing-security-features false positives has caused the Debian Bug report #926060, regarding lintian: portable-executable-missing-security-features false positives to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 926060: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926060 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: lintian: portable-executable-missing-security-features false positives
- From: Scott Kitterman <debian@kitterman.com>
- Date: Sun, 31 Mar 2019 01:18:40 -0400
- Message-id: <20190331051840.22127.71420.reportbug@kitterma-E6430>
Package: lintian Version: 2.11.0 Severity: normal I'm reasonably confident that clamav testfiles don't need hardening features, so [1] seems pretty pointless. Scott K [1] https://lintian.debian.org/maintainer/pkg-clamav-devel@lists.alioth.debian.org.html#clamav clamav-testfiles E portable-executable-missing-security-features usr/share/clamav-testfiles/clam-aspack.exe ASLR DEP/NX SafeSEH usr/share/clamav-testfiles/clam-fsg.exe ASLR DEP/NX SafeSEH usr/share/clamav-testfiles/clam-nsis.exe ASLR DEP/NX usr/share/clamav-testfiles/clam-pespin.exe ASLR DEP/NX SafeSEH usr/share/clamav-testfiles/clam-petite.exe ASLR DEP/NX SafeSEH usr/share/clamav-testfiles/clam-upx.exe ASLR DEP/NX SafeSEH usr/share/clamav-testfiles/clam-wwpack.exe ASLR DEP/NX SafeSEH usr/share/clamav-testfiles/clam-yc.exe ASLR DEP/NX SafeSEH usr/share/clamav-testfiles/clam.ea05.exe ASLR DEP/NX usr/share/clamav-testfiles/clam.ea06.exe ASLR DEP/NX usr/share/clamav-testfiles/clam.exe ASLR DEP/NX usr/share/clamav-testfiles/clam_IScab_ext.exe ASLR DEP/NX usr/share/clamav-testfiles/clam_IScab_int.exe ASLR DEP/NX usr/share/clamav-testfiles/clam_ISmsi_ext.exe ASLR DEP/NX usr/share/clamav-testfiles/clam_ISmsi_int.exe ASLR DEP/NX
--- End Message ---
--- Begin Message ---
- To: Scott Kitterman <debian@kitterman.com>
- Cc: 926060-done@bugs.debian.org
- Subject: Re: Bug#926060: lintian: portable-executable-missing-security-features false positives
- From: Felix Lechner <felix.lechner@lease-up.com>
- Date: Mon, 16 Dec 2019 14:59:27 -0800
- Message-id: <CAFHYt55_6FaH2uiY0HB+n-m_dJAfFJuPR7VZ6A1XcYkDeQ089Q@mail.gmail.com>
- In-reply-to: <FB6611D8-6292-4B78-B0D9-9C2DFE6F4B06@kitterman.com>
- References: <ffdef0ef-ae26-4138-afc0-9dfe47f22e6a@www.fastmail.com> <3174518.cf22pGiqGt@kitterma-e6430> <20190331051840.22127.71420.reportbug@kitterma-E6430> <98bdd21a-183c-4abe-8372-efaf4542641b@www.fastmail.com> <FB6611D8-6292-4B78-B0D9-9C2DFE6F4B06@kitterman.com>
Hi Scott, On Mon, Apr 1, 2019 at 6:00 AM Scott Kitterman <debian@kitterman.com> wrote: > > I'm reasonably confident that clamav testfiles don't need > hardening features, so [1] seems pretty pointless. I saw the overrides in clamav-testfiles. That was probably the right thing to do. As an alternative, you could modify the flags (or ask upstream to do so) with a tool called 'genpeimg'. We had a similar issue with systemd's gummiboot executables. You can find more details here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926823 Personally, I do not understand how the PE32+ security features work (even though I wrote the check). They are stored as part of the executable and seem to express a designation by the author more than an out-of-channel, system-wide privilege. > These are all EICAR test files [1]. Generically these are all test files (I haven't checked, other packages may ship these to). It would be at least slightly generic and not unreasonable to exclude any files with the EICAR test string from the test. Like Chris, I examined the test files, and like Chris I was unable to find the EICAR string or any other distinguishing feature that would allow us to disregard the clamav test files in the Lintian check. Your overrides are an appropriate remedy. Closing this bug. Please re-open if you disagree. Kind regards Felix Lechner
--- End Message ---