Your message dated Wed, 24 Sep 2014 08:01:17 -0700 with message-id <[email protected]> and subject line false positives, unfortunately has caused the Debian Bug report #759322, regarding False positive in binwalk libraries to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 759322: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759322 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: hardening-includes Version: 2.5+nmu1 Severity: Important Hi maintainer, the last Steps to reproduce (reproducible on a sid pbuilder clean environment) # apt-get install binwalk hardening-check hardening-check /usr/lib/python2.7/dist-packages/binwalk/libs/libcompress42.so /usr/lib/python2.7/dist-packages/binwalk/libs/libcompress42.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no, not found! # hardening-check /usr/lib/python2.7/dist-packages/binwalk/libs/libtinfl.so /usr/lib/python2.7/dist-packages/binwalk/libs/libtinfl.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: yes Fortify Source functions: no, only unprotected functions found! Read-only relocations: yes Immediate binding: no, not found! I don't think I should blame binwalk since both libraries are built with almost the same Makefile, and I see flags injected correctly https://buildd.debian.org/status/fetch.php?pkg=binwalk&arch=i386&ver=2.0.1-1&stamp=1408985010 make[3]: Entering directory '/«PKGBUILDDIR»/src/C/miniz' gcc -Wall -fPIC -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -c tinfl.c gcc -Wall -fPIC -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -shared -Wl,-soname,libtinfl.so tinfl.o -o libtinfl.so -Wl,-z,relro chmod +x libtinfl.so make[3]: Leaving directory '/«PKGBUILDDIR»/src/C/miniz' cp miniz/*.so "../"./binwalk/libs"" make -C compress make[3]: Entering directory '/«PKGBUILDDIR»/src/C/compress' gcc -Wall -fPIC -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 compress42.c -c gcc -Wall -fPIC -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -shared -Wl,-soname,libcompress42.so compress42.o -o libcompress42.so -Wl,-z,relro chmod +x libcompress42.so This is why I'm creating this bug report, because I believe this might be a false positive on your package. Have many thanks, Gianfranco
--- End Message ---
--- Begin Message ---As mentioned in the hardening-check manpage, there are states that cannot be successfully verified in the resulting binary: When an executable was built such that the fortified versions of the glibc functions are not useful (e.g. use is verified as safe at compile time, or use cannot be verified at runtime), this check will lead to false alarms. In these cases, if you've verified the flags are being passed and the code is safe, you will need to create lintian overrides. -Kees -- Kees Cook @outflux.net
--- End Message ---
