question on hardening

To: Debian Med Project List <debian-med@lists.debian.org>
Subject: question on hardening
From: Jan Beyer <jan@beathovn.de>
Date: Mon, 28 May 2012 20:54:08 +0200
Message-id: <[🔎] 4FC3C9D0.8090704@beathovn.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

I am packaging a new upstream version of gwyddion (to be found in Debian
Med SVN) and lintian brought up quite some warnings concerning hardening
stuff.
My knowledge in that direction is extremely limited, so I am seeking
advice here.

Lintian complains several times similar to this:
- ----------
W: gwyddion: hardening-no-stackprotector
usr/lib/gwyddion/modules/file/ambfile.so
N:
N:    This package provides an ELF binary that lacks the stack protector
N:    function __stack_chk_fail. Either there are no character arrays used on
N:    the stack of any routines, or the package was not built with the default
N:    Debian compiler flags defined by dpkg-buildflags. If built using
N:    dpkg-buildflags directly, be sure to import CFLAGS and/or CXXFLAGS.
N:
N:    Refer to http://wiki.debian.org/Hardening for details.
- ----------

When looking at the relevant section of the build-log, I feel, that the
- -fstack-protector option is given during compile:

- ----------
#	source='ambfile.c' object='ambfile.lo' libtool=yes
/bin/bash ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I.
- -I../..  -I../.. -DG_LOG_DOMAIN=\"Module\" -D_FORTIFY_SOURCE=2 -Wall -W
- -Wshadow -Wpointer-arith -Wno-sign-compare -Wundef
- -Werror-implicit-function-declaration -Wno-system-headers
- -Wno-pointer-sign -Wno-format-zero-length -Wdeclaration-after-statement
- -Wredundant-decls -I/usr/include/glib-2.0
- -I/usr/lib/x86_64-linux-gnu/glib-2.0/include   -pthread
- -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include
- -pthread -I/usr/include/pango-1.0 -I/usr/include/freetype2
- -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include
- -I/usr/include/gtk-2.0 -I/usr/lib/x86_64-linux-gnu/gtk-2.0/include
- -I/usr/include/gio-unix-2.0/ -I/usr/include/cairo
- -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/pixman-1
- -I/usr/include/libpng12 -I/usr/include/atk-1.0 -I/usr/include/gtkglext-1.0
- -I/usr/lib/gtkglext-1.0/include   -fno-trapping-math -fno-math-errno  -g
- -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
- -Werror=format-security -Wall -c -o ambfile.lo ambfile.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I../.. -I../..
- -DG_LOG_DOMAIN=\"Module\" -D_FORTIFY_SOURCE=2 -Wall -W -Wshadow
- -Wpointer-arith -Wno-sign-compare -Wundef
- -Werror-implicit-function-declaration -Wno-system-headers
- -Wno-pointer-sign -Wno-format-zero-length -Wdeclaration-after-statement
- -Wredundant-decls -I/usr/include/glib-2.0
- -I/usr/lib/x86_64-linux-gnu/glib-2.0/include -pthread
- -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include
- -pthread -I/usr/include/pango-1.0 -I/usr/include/freetype2
- -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include
- -I/usr/include/gtk-2.0 -I/usr/lib/x86_64-linux-gnu/gtk-2.0/include
- -I/usr/include/gio-unix-2.0/ -I/usr/include/cairo
- -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/pixman-1
- -I/usr/include/libpng12 -I/usr/include/atk-1.0 -I/usr/include/gtkglext-1.0
- -I/usr/lib/gtkglext-1.0/include -fno-trapping-math -fno-math-errno -g -O2
- -fstack-protector --param=ssp-buffer-size=4 -Wformat
- -Werror=format-security -Wall -c ambfile.c  -fPIC -DPIC -o .libs/ambfile.o
/bin/bash ../../libtool  --tag=CC   --mode=link gcc -Wall -W -Wshadow
- -Wpointer-arith -Wno-sign-compare -Wundef
- -Werror-implicit-function-declaration -Wno-system-headers
- -Wno-pointer-sign -Wno-format-zero-length -Wdeclaration-after-statement
- -Wredundant-decls -I/usr/include/glib-2.0
- -I/usr/lib/x86_64-linux-gnu/glib-2.0/include   -pthread
- -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include
- -pthread -I/usr/include/pango-1.0 -I/usr/include/freetype2
- -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include
- -I/usr/include/gtk-2.0 -I/usr/lib/x86_64-linux-gnu/gtk-2.0/include
- -I/usr/include/gio-unix-2.0/ -I/usr/include/cairo
- -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/pixman-1
- -I/usr/include/libpng12 -I/usr/include/atk-1.0 -I/usr/include/gtkglext-1.0
- -I/usr/lib/gtkglext-1.0/include   -fno-trapping-math -fno-math-errno  -g
- -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
- -Werror=format-security -Wall -avoid-version -module   -Wl,-z,relro -o
ambfile.la -rpath /usr/lib/gwyddion/modules/file ambfile.lo
libtool: link: gcc -shared  -fPIC -DPIC  .libs/ambfile.o    -pthread
- -pthread -O2 -Wl,-z -Wl,relro   -pthread -Wl,-soname -Wl,ambfile.so -o
.libs/ambfile.so
libtool: link: ( cd ".libs" && rm -f "ambfile.la" && ln -s "../ambfile.la"
"ambfile.la" )
\
- ----------

Is it okay to ignore the Lintian warning (maybe its logic is not quite
perfect?) or do I need to do something to really implement this correctly?
There are also some more lintian warnings concerning
hardening-no-fortify-functions, but I think, once I understood the above,
these ones should work similar.

Thanks for any help!

Best regards,
Jan


- -- 
Jan Beyer				happy Debian Maintainer	;-)	

mail	jan@beathovn.de			GPG key ID 0x0CA6B4AA
jabber	beathovn@jabber.org
web	http://www.beathovn.de/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/DycwACgkQ8eMP5QymtKqVxACdG36ZxcfAnGzxaKyeFodmXIdB
oiMAniT4JmSQ66QgLytFUsiuA6tCqWTS
=TLbK
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: question on hardening
  - From: Andreas Tille <andreas@an3as.eu>
- Re: question on hardening
  - From: Nicolas Bourdaud <nicolas.bourdaud@gmail.com>

Prev by Date: Re: Help on version numbering
Next by Date: Re: question on hardening
Previous by thread: Re: sent package in wrong dir
Next by thread: Re: question on hardening
Index(es):
- Date
- Thread