Bug#685299: lintian: False positive from hardening-no-fortify-functions
On 2012-08-19 13:47, Roland Stigge wrote: Package: lintian Version: 2.5.10.1 Severity: normal Hi, consider the following (guitarix 0.24.0-1 is in experimental): $ lintian -i guitarix_0.24.0-1_i386.changes [...] I already sorted out similar issues with upstream to correctly pass the correct dpkg-buildflags to the build. But the above is still present, even though it looks like everything (especially CPPFLAGS) is passed correctly. See also the build log at https://buildd.debian.org/status/fetch.php?pkg=guitarixarch=amd64ver=0.24.0-1stamp=1345247045 Maybe this is a false positive? Thanks in advance, Roland [...] Hi, It is quite likely to be a false-positive, but Lintian does not have enough information to deduce that. Can you please run hardening-check --verbose on those binaries and give return the result. ~Niels -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#685299: lintian: False positive from hardening-no-fortify-functions
Hi, On 01/18/2013 12:51 PM, Niels Thykier wrote: On 2012-08-19 13:47, Roland Stigge wrote: Package: lintian Version: 2.5.10.1 Severity: normal Hi, consider the following (guitarix 0.24.0-1 is in experimental): $ lintian -i guitarix_0.24.0-1_i386.changes [...] I already sorted out similar issues with upstream to correctly pass the correct dpkg-buildflags to the build. But the above is still present, even though it looks like everything (especially CPPFLAGS) is passed correctly. See also the build log at https://buildd.debian.org/status/fetch.php?pkg=guitarixarch=amd64ver=0.24.0-1stamp=1345247045 Maybe this is a false positive? Thanks in advance, Roland [...] Hi, It is quite likely to be a false-positive, but Lintian does not have enough information to deduce that. Can you please run hardening-check --verbose on those binaries and give return the result. All reported files basically do like this: $ hardening-check --verbose ./debian/guitarix/usr/lib/ladspa/guitarix.so ./debian/guitarix/usr/lib/ladspa/guitarix.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! unprotected: memset unprotected: memmove Read-only relocations: yes Immediate binding: no, not found! $ What would you suggest here? Thanks in advance, Roland -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#685299: lintian: False positive from hardening-no-fortify-functions
On 2013-01-18 14:08, Roland Stigge wrote: All reported files basically do like this: $ hardening-check --verbose ./debian/guitarix/usr/lib/ladspa/guitarix.so ./debian/guitarix/usr/lib/ladspa/guitarix.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! unprotected: memset unprotected: memmove Read-only relocations: yes Immediate binding: no, not found! $ What would you suggest here? Thanks in advance, Roland Since I have an outstanding suggestion to whitelist exactly those two functions (see #673112#62), I decided to do so. In Lintian 2.5.12, those warnings should now disappear. However, should you meet this warning again, there is a good chance I will recomemnd you to simply override it once you have asserted that the proper build flags are passed to the compiler (blhc can help you with this). ~Niels -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#685299: lintian: False positive from hardening-no-fortify-functions
Package: lintian Version: 2.5.10.1 Severity: normal Hi, consider the following (guitarix 0.24.0-1 is in experimental): $ lintian -i guitarix_0.24.0-1_i386.changes W: guitarix: hardening-no-fortify-functions usr/lib/ladspa/guitarix.so N: N:This package provides an ELF binary that lacks the use of fortified libc N:functions. Either there are no potentially unfortified functions called N:by any routines, all unfortified calls have already been fully validated N:at compile-time, or the package was not built with the default Debian N:compiler flags defined by dpkg-buildflags. If built using N:dpkg-buildflags directly, be sure to import CPPFLAGS. N: N:NB: Due to false-positives, Lintian ignores some unprotected functions N:(e.g. memcpy). N: N:Refer to http://wiki.debian.org/Hardening and N:http://bugs.debian.org/673112 for details. N: N:Severity: normal, Certainty: possible N: N:Check: binaries, Type: binary, udeb N: W: guitarix: hardening-no-fortify-functions usr/lib/ladspa/guitarix_IR.so W: guitarix: hardening-no-fortify-functions usr/lib/ladspa/guitarix_amp.so W: guitarix: hardening-no-fortify-functions usr/lib/ladspa/guitarix_compressor.so W: guitarix: hardening-no-fortify-functions usr/lib/ladspa/guitarix_crybaby.so W: guitarix: hardening-no-fortify-functions usr/lib/ladspa/guitarix_distortion.so W: guitarix: hardening-no-fortify-functions usr/lib/ladspa/guitarix_echo.so W: guitarix: hardening-no-fortify-functions usr/lib/ladspa/guitarix_freeverb.so I already sorted out similar issues with upstream to correctly pass the correct dpkg-buildflags to the build. But the above is still present, even though it looks like everything (especially CPPFLAGS) is passed correctly. See also the build log at https://buildd.debian.org/status/fetch.php?pkg=guitarixarch=amd64ver=0.24.0-1stamp=1345247045 Maybe this is a false positive? Thanks in advance, Roland -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages lintian depends on: ii binutils 2.22-7.1 ii bzip2 1.0.6-3 ii diffstat 1.55-3 ii file 5.11-2 ii gettext0.18.1.1-9 ii hardening-includes 2.2 ii intltool-debian0.35.0+20060710.1 ii libapt-pkg-perl0.1.26+b1 ii libarchive-zip-perl1.30-6 ii libc-bin 2.13-35 ii libclass-accessor-perl 0.34-1 ii libclone-perl 0.31-1+b2 ii libdpkg-perl 1.16.8 ii libemail-valid-perl0.190-1 ii libipc-run-perl0.91-1 ii libparse-debianchangelog-perl 1.2.0-1 ii libtimedate-perl 1.2000-1 ii liburi-perl1.60-1 ii locales2.13-35 ii man-db 2.6.2-1 ii patchutils 0.3.2-1.1 ii perl [libdigest-sha-perl] 5.14.2-12 lintian recommends no packages. Versions of packages lintian suggests: pn binutils-multiarch none ii dpkg-dev 1.16.8 ii libhtml-parser-perl3.69-2 pn libperlio-gzip-perlnone ii libtext-template-perl 1.45-2 ii lzma 9.22-2 ii man-db 2.6.2-1 ii xz-utils [lzma]5.1.1alpha+20120614-1 -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org