Hardening-check reports on hardened object
Hi,
For the python-astropy package [1], I have a source code [2], that is
compiled into a shared library (for a Python extension). The hardening
flags are switched on, as seen from the build log:
-----------------------8<------------------------------
gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -fPIC -I/usr/include/python2.7 -c astropy/utils/xml/src/iterparse.c -o build/temp.linux-x86_64-2.7/astropy/utils/xml/src/iterparse.o
gcc -pthread -shared -Wl,-O1 -Wl,-Bsymbolic-functions -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-Bsymbolic-functions -Wl,-z,relro -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 build/temp.linux-x86_64-2.7/astropy/utils/xml/src/iterparse.o -lexpat -o build/lib.linux-x86_64-2.7/astropy/utils/xml/_iterparser.so
-----------------------8<------------------------------
However, lintian still reports a "hardening-no-fortify-functions", with
some reason: Running "hardening-check --verbose" gives
-----------------------8<------------------------------
[...]
Fortify Source functions: no, only unprotected functions found!
unprotected: read
unprotected: memcpy
-----------------------8<------------------------------
Checking the source code shows that both functions are really used.
Why are they not translated into their fortified counterparts and what
should one do here? Just override lintian?
Best
Ole
[1] ITP http://bugs.debian.org/678168
[2] https://github.com/astropy/astropy/blob/master/astropy/utils/xml/src/iterparse.c
Reply to: