Your message dated Sat, 9 Oct 2021 14:16:05 -0300
with message-id
<CAP+dXJduFzFWwR2HjYtzvGG45-Zk=nrBiDQL=kl3ukymnhp...@mail.gmail.com>
and subject line Re: blhc: False positive: CPPFLAGS missing
(-D_FORTIFY_SOURCE=2): /usr/lib/ccache/c++ -dM -E -c
/usr/share/cmake-3.16/Modules/CMakeCXXCompilerABI.cpp
has caused the Debian Bug report #994422,
regarding blhc: False positive: CPPFLAGS missing (-D_FORTIFY_SOURCE=2):
/usr/lib/ccache/c++ -dM -E -c
/usr/share/cmake-3.16/Modules/CMakeCXXCompilerABI.cpp
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
994422: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994422
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: blhc
Version: 0.12-2
Severity: normal
Tags: upstream
X-Debbugs-Cc: [email protected]
Hi Simon,
The line shown in the subject is being produced from blhc over CMake 3.16 and
later versions. See an example below, from obs-advanced-scene-switcher
(currently only in Salsa and New Queue):
CPPFLAGS missing (-D_FORTIFY_SOURCE=2): /usr/lib/ccache/c++ -dM -E -c
/usr/share/cmake-3.18/Modules/CMakeCXXCompilerABI.cpp -DASIO_STANDALONE
-DHAVE_OBSCONFIG_H -DQT_CORE_LIB -DQT_GUI_LIB -DQT_NO_DEBUG -DQT_WIDGETS_LIB
-DREPLAYBUFFER_SUPPORTED -DVCAM_SUPPORTED -Dadvanced_scene_switcher_EXPORTS
-I/builds/debian/obs-advanced-scene-switcher/debian/output/source_dir/obj-x86_64-linux-gnu
-I/builds/debian/obs-advanced-scene-switcher/debian/output/source_dir
-I/builds/debian/obs-advanced-scene-switcher/debian/output/source_dir/deps/asio/asio/include
-I/builds/debian/obs-advanced-scene-switcher/debian/output/source_dir/deps/websocketpp
-I/usr/include/obs -I/usr/include/x86_64-linux-gnu/qt5
-I/usr/include/x86_64-linux-gnu/qt5/QtCore
-I/usr/lib/x86_64-linux-gnu/qt5/mkspecs/linux-g++
-I/usr/include/x86_64-linux-gnu/qt5/QtWidgets
-I/usr/include/x86_64-linux-gnu/qt5/QtGui -I/usr/include/x86_64-linux-gnu
-I/usr/include -I/usr/include/c++/10 -I/usr/include/x86_64-linux-gnu/c++/10
-I/usr/include/c++/10/backward -I/usr/lib/gcc/x86_64-linux-gnu/10/include
-I/usr/local/include
I found an explanation about this line here[1] (CMake Project). A summary:
"From that Salsa job (link in the original report) you can see that what blhc
(the hardening-tool-enforcement-thing) is complaining about, are the four calls
to the compiler like /usr/lib/ccache/c++ -dM -E -c
/usr/share/cmake-3.16/Modules/CMakeCXXCompilerABI.cpp .
These are obviously false positives, since it's CMake checking compiler flags
and the resulting objects never end up in any artefacts from the build.
Because CPPFLAGS aren't inserted in there, the calls are flagged, and the tool
complains."
[1] https://gitlab.kitware.com/cmake/cmake/-/issues/20631#note_746828
Really, I tested a final binary with hardening-check command and I can see:
# hardening-check obs-text-slideshow.so
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Stack clash protection: unknown, no -fstack-clash-protection instructions found
Control flow integrity: no, not found!
I am getting the same message from blhc in some packages (in my packages
packetsender, obs-advanced-scene-switch and obs-text-slideshow). What you think
about to add the following line as an exclusion in blhc?
/usr/lib/ccache/c++ -dM -E -c
/usr/share/cmake-.*/Modules/CMakeCXXCompilerABI.cpp .
Now I will use an exclusion via debian/rules.
Thanks!
Regards,
Eriberto
--- End Message ---
--- Begin Message ---
Solved in blhc/0.13-1. Closing.
--- End Message ---
