Re: hardening=+all caused CPPFLAGS missing (-D_FORTIFY_SOURCE=2)
Em qui., 5 de nov. de 2020 às 20:25, Carlos Henrique Lima Melara
> On Thu, Nov 05, 2020 at 09:55:31PM +0500, Andrey Rahmatullin wrote:
> > On Thu, Nov 05, 2020 at 10:58:16AM -0500, Tong Sun wrote:
> > > So I just ignore it, without trying to fix blhc?
> > It's not a blhc problem, nothing to fix there.
> > It cannot know which of the compilation commands in your build process are
> > important.
> So I've been very interested in this problem (really don't know why kkkk)
> but it may have a solution. This bug #725484 is similar to your problem.
> Also in the last release 0.12 this a debian/NEWS was created, take a look:
> blhc (0.12-1) unstable; urgency=medium
> Since 0.12 version, blhc is able to ignore false positives spotted by
> line(s) "injected" inside .build file via debian/rules. It is useful
> for Salsa automated tests and to skip wrong lines shown in local blhc
> report. See more details in blhc(1) manpage. There are examples in
> -- Joao Eriberto Mota Filho <email@example.com> Wed, 29 Jul 2020 20:41:39 -0300
> This might solve the problem. If it does, let us know.
A good catch Charles, but it is more appropriate to false positives,
e.g. an echo command from upstream saying that you can change the
options to use 'gcc -g -O2' only. So, when blhc will see 'gcc -c -O2'
in the build log, it will tell about a hardening issue. You can see
this case in ngetty:
echo "CC = diet -Os gcc -W";
shc has an upstream problem because the tests do not consider CPPFLAGS
(via Makefile). Consequently, dpkg is not able to send CPPFLAGS
content to the test commands. The upstream should fix it. A workaround
in Debian is to send -D_FORTIFY_SOURCE=2 via CFLAGS. To make it, the
following line must be placed in debian/rules:
export DEB_CFLAGS_MAINT_APPEND = -D_FORTIFY_SOURCE=2