Hi Jan, On 28/05/2012 20:54, Jan Beyer wrote: > Lintian complains several times similar to this: > ---------- > W: gwyddion: hardening-no-stackprotector > usr/lib/gwyddion/modules/file/ambfile.so > N: > N: This package provides an ELF binary that lacks the stack protector > N: function __stack_chk_fail. Either there are no character arrays used on > N: the stack of any routines, or the package was not built with the default > N: Debian compiler flags defined by dpkg-buildflags. If built using > N: dpkg-buildflags directly, be sure to import CFLAGS and/or CXXFLAGS. > N: > N: Refer to http://wiki.debian.org/Hardening for details. > ---------- > > When looking at the relevant section of the build-log, I feel, that the > -fstack-protector option is given during compile: > > ---------- > # source='ambfile.c' object='ambfile.lo' libtool=yes > /bin/bash ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. > -I../.. -I../.. -DG_LOG_DOMAIN=\"Module\" -D_FORTIFY_SOURCE=2 -Wall -W > [...] > -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat > -Werror=format-security -Wall -c -o ambfile.lo ambfile.c > [...] > Is it okay to ignore the Lintian warning (maybe its logic is not quite > perfect?) or do I need to do something to really implement this correctly? > There are also some more lintian warnings concerning > hardening-no-fortify-functions, but I think, once I understood the above, > these ones should work similar. Don't worry the hardening is effectively enabled but there is a lot of false positives in those checks. As explained by the warning, if your library does not use any routine that is eligible for being protected by the stack protector, the lintian check will misinterpret the library as being unprotected. The same applies for fortify-functions. As you have correctly noted, the two hardening flags are set in the compilation (I have kept three lines that shows it). So you can safely ignore the warnings. Cheers, Nicolas
Attachment:
signature.asc
Description: OpenPGP digital signature