[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ASAN builds and exiv2



On 2017-11-27 20:38:20, Roberto C. Sánchez wrote:
> On Thu, Nov 23, 2017 at 02:51:56PM -0500, Antoine Beaupré wrote:
>> 
>> So I ended up adding it to the debian/rules file, but that wasn't enough
>> either - I had to add "export" to every line so it shows up in the
>> environment.
>
> I think that the problem you are seeing is related to sbuild.  Here is
> the command I used to build with gbp and cowbuilder:
>
> DH_VERBOSE=1 DEB_CFLAGS_APPEND=-fsanitize=address
> DEB_CPPFLAGS_APPEND=-fsanitize=address
> DEB_CXXFLAGS_APPEND=-fsanitize=address
> DEB_LDFLAGS_APPEND=-lasan gbp buildpackage --git-dist=jessie 
>
> The -static-libasan option produced the linking error you reported near
> the end of the build, which is why I switched to -lasan.  I also had to
> add libasan1 to Build-Depends.
>
> I have attached the build log so that you can confirm the resulting
> commands that were executed to build the package.
>
> After building with that command I installed the packages in a wheezy
> Docker and ran the exiv2 binary with the three proofs of concept from
> the three GitHub issues.  None of them appear to trigger the reported
> vulnerabilities.  Based on this and on Raphael's comments in this
> thread, I think that the correct reolution is to mark the issues as
> not-affected for wheezy.
>
> I have attached the verbose output of the POC runs with the ASAN version
> of the package so that you or someone else can review the output and
> either concur or dissent with my analysis.

I agree. I can't reproduce the issues with 0.23-1 (no need even to go
back to +deb7u1) either (using valgrind).

So I'll just mark those as N/A.

Thanks for the review!

A.

-- 
Your injured body has become the burden of your digital soul.
                        - Yin Aiwen, 2013, The Massage is the Medium


Reply to: