Am Dienstag, dem 26.03.2024 um 17:03 +0000 schrieb Jeremy Sowden: > [...] > > The following should suffice: > > export DH_VERBOSE = 1 > export DEB_BUILD_MAINT_OPTIONS = hardening=+all > export DEB_LDFLAGS_MAINT_APPEND = -lstdc++fs > > %: > dh $@ --with autoreconf >
So, this is exactly what I had initially. > Running the build one can see: > > g++ [...] -D_FORTIFY_SOURCE=2 [...] > > so the right argument is being passed to the compiler. > There is a list > of the functions that are fortified here: > > > https://www.gnu.org/software/libc/manual/html_node/Source-Fortification.html > > Does the software use any of these? If not, this is a false > positive. > > J. Galvani only uses "open" for file operations and "read" to read from usb devices. I'm a bit confused now. The output of "blhc galvani_0.34-1_amd64.build" is empty, but "hardening-check -vR /usr/bin/galvani" gives: ------------------------------------ /usr/bin/galvani: Position Independent Executable: yes Stack protected: yes Fortify Source functions: no, only unprotected functions found! unprotected: read unprotected: memcpy unprotected: readlink unprotected: vsnprintf unprotected: memset unprotected: memmove unprotected: realpath unprotected: getcwd Read-only relocations: yes Immediate binding: yes Stack clash protection: unknown, no -fstack-clash-protection instructions found Control flow integrity: no, not found! -------------------------------------- followed by a long list. Burkard
