Re: question on hardening

To: debian-med@lists.debian.org
Subject: Re: question on hardening
From: Jan Beyer <jan@beathovn.de>
Date: Tue, 29 May 2012 11:18:58 +0200
Message-id: <[🔎] 4FC49482.8080508@beathovn.de>
In-reply-to: <[🔎] 4FC3E054.3010803@gmail.com>
References: <[🔎] 4FC3C9D0.8090704@beathovn.de> <[🔎] 4FC3E054.3010803@gmail.com>

Thanks to both of you, Andreas and Nicolas, for the fast help!
Then I can upload soon.

Best regards,
Jan

Und es begab sich am 28.05.2012 22:30, dass Nicolas Bourdaud schrieb:
> Hi Jan,
> 
> On 28/05/2012 20:54, Jan Beyer wrote:
>> Lintian complains several times similar to this: ---------- W:
>> gwyddion: hardening-no-stackprotector 
>> usr/lib/gwyddion/modules/file/ambfile.so N: N:    This package
>> provides an ELF binary that lacks the stack protector N:    function
>> __stack_chk_fail. Either there are no character arrays used on N:
>> the stack of any routines, or the package was not built with the
>> default N:    Debian compiler flags defined by dpkg-buildflags. If
>> built using N:    dpkg-buildflags directly, be sure to import CFLAGS
>> and/or CXXFLAGS. N: N:    Refer to http://wiki.debian.org/Hardening
>> for details. ----------
>> 
>> When looking at the relevant section of the build-log, I feel, that
>> the -fstack-protector option is given during compile:
>> 
>> ---------- #	source='ambfile.c' object='ambfile.lo' libtool=yes 
>> /bin/bash ../../libtool  --tag=CC   --mode=compile gcc
>> -DHAVE_CONFIG_H -I. -I../..  -I../.. -DG_LOG_DOMAIN=\"Module\"
>> -D_FORTIFY_SOURCE=2 -Wall -W [...] -O2 -fstack-protector
>> --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall -c
>> -o ambfile.lo ambfile.c [...] Is it okay to ignore the Lintian
>> warning (maybe its logic is not quite perfect?) or do I need to do
>> something to really implement this correctly? There are also some
>> more lintian warnings concerning hardening-no-fortify-functions, but
>> I think, once I understood the above, these ones should work
>> similar.
> 
> Don't worry the hardening is effectively enabled but there is a lot of 
> false positives in those checks. As explained by the warning, if your 
> library does not use any routine that is eligible for being protected
> by the stack protector, the lintian check will misinterpret the library
> as being unprotected. The same applies for fortify-functions.
> 
> As you have correctly noted, the two hardening flags are set in the 
> compilation (I have kept three lines that shows it). So you can safely 
> ignore the warnings.
> 
> Cheers,
> 
> Nicolas
> 
> 


-- 
Jan Beyer				happy Debian Maintainer	;-)	

mail	jan@beathovn.de			GPG key ID 0x0CA6B4AA
jabber	beathovn@jabber.org
web	http://www.beathovn.de/

Reply to:

References:
- question on hardening
  - From: Jan Beyer <jan@beathovn.de>
- Re: question on hardening
  - From: Nicolas Bourdaud <nicolas.bourdaud@gmail.com>

Prev by Date: Re: [OT - or may be not] The case for open computer programs
Next by Date: Re: [OT - or may be not] The case for open computer programs
Previous by thread: Re: question on hardening
Next by thread: [OT - or may be not] The case for open computer programs
Index(es):
- Date
- Thread