Package: lintian Version: 2.5.11 Severity: normal I'm getting these for a few different packages. Not sure if they're related, but I took a moment to track this one down. In the new xml-security-c 1.7.0-1, I get:
W: xml-security-c-utils: hardening-no-fortify-functions usr/bin/xmlsec-xklient but the relevant build lines are: g++ -DHAVE_CONFIG_H -I. -I.. -I../xsec/framework -I.. -D_FORTIFY_SOURCE=2 -Wall -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -O2 -DNDEBUG -pthread -DXSEC_LIBRARY_BUILD -c -o xklient.o `test -f 'tools/xklient/xklient.cpp' || echo './'`tools/xklient/xklient.cpp tools/xklient/xklient.cpp: In function 'int doParsedMsgDump(xercesc_3_1::DOMDocument*)': tools/xklient/xklient.cpp:3815:6: warning: variable 'errorsOccured' set but not used [-Wunused-but-set-variable] /bin/sh ../libtool --tag=CXX --mode=link g++ -Wall -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -O2 -DNDEBUG -pthread -DXSEC_LIBRARY_BUILD -fPIE -pie -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -o xklient xklient.o libxml-security-c.la -lxerces-c -lm -lssl -lcrypto libtool: link: g++ -Wall -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -O2 -DNDEBUG -pthread -DXSEC_LIBRARY_BUILD -fPIE -pie -Wl,-z -Wl,relro -Wl,-z -Wl,now -o .libs/xklient xklient.o -Wl,--as-needed ./.libs/libxml-security-c.so -lxerces-c -lm -lssl -lcrypto -pthread so all the appropriate flags should be there. hardening-check of course has the same issue: % hardening-check xmlsec-xklient xmlsec-xklient: Position Independent Executable: yes Stack protected: yes Fortify Source functions: no, only unprotected functions found! Read-only relocations: yes Immediate binding: yes I get the same thing from libkopenafs1: % hardening-check /usr/lib/libkopenafs.so /usr/lib/libkopenafs.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! Read-only relocations: yes Immediate binding: yes even though it's built with hardening-wrappers, although I wasn't as sure with it since it incorporates some assembly and I wasn't sure if that would confuse the check. Note that libkopenafs1 hardly calls anything in libc: Symbol table '.dynsym' contains 21 entries: Num: Value Size Type Bind Vis Ndx Name 0: 00000000 0 NOTYPE LOCAL DEFAULT UND 1: 00000000 0 NOTYPE WEAK DEFAULT UND _ITM_deregisterTMCloneTab 2: 00000000 0 FUNC GLOBAL DEFAULT UND free@GLIBC_2.0 (3) 3: 00000000 0 FUNC GLOBAL DEFAULT UND signal@GLIBC_2.0 (3) 4: 00000000 0 FUNC GLOBAL DEFAULT UND ioctl@GLIBC_2.0 (3) 5: 00000000 0 FUNC WEAK DEFAULT UND __cxa_finalize@GLIBC_2.1.3 (4) 6: 00000000 0 FUNC GLOBAL DEFAULT UND malloc@GLIBC_2.0 (3) 7: 00000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__ 8: 00000000 0 FUNC GLOBAL DEFAULT UND open@GLIBC_2.0 (5) 9: 00000000 0 FUNC GLOBAL DEFAULT UND __errno_location@GLIBC_2.0 (5) 10: 00000000 0 FUNC GLOBAL DEFAULT UND syscall@GLIBC_2.0 (3) 11: 00000000 0 FUNC GLOBAL DEFAULT UND getgroups@GLIBC_2.0 (3) 12: 00000000 0 NOTYPE WEAK DEFAULT UND _Jv_RegisterClasses 13: 00000000 0 NOTYPE WEAK DEFAULT UND _ITM_registerTMCloneTable 14: 00000000 0 FUNC GLOBAL DEFAULT UND close@GLIBC_2.0 (5) 15: 000008b0 86 FUNC GLOBAL DEFAULT 12 k_unlog@@KOPENAFS_1.0 16: 00000000 0 OBJECT GLOBAL DEFAULT ABS KOPENAFS_1.0 17: 00000870 56 FUNC GLOBAL DEFAULT 12 k_pioctl@@KOPENAFS_1.0 18: 00000790 187 FUNC GLOBAL DEFAULT 12 k_hasafs@@KOPENAFS_1.0 19: 00000910 361 FUNC GLOBAL DEFAULT 12 k_haspag@@KOPENAFS_1.0 20: 00000850 25 FUNC GLOBAL DEFAULT 12 k_setpag@@KOPENAFS_1.0 so I'm not sure what hardening-check has to complain about. -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 3.8-2-686-pae (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages lintian depends on: ii binutils 2.22-8 ii bzip2 1.0.6-4 ii diffstat 1.55-3 ii file 1:5.11-3 ii gettext 0.18.1.1-10 ii hardening-includes 2.3 ii intltool-debian 0.35.0+20060710.1 ii libapt-pkg-perl 0.1.28 ii libarchive-zip-perl 1.30-6 ii libc-bin 2.13-38 ii libclass-accessor-perl 0.34-1 ii libclone-perl 0.31-1+b2 ii libdpkg-perl 1.16.10 ii libemail-valid-perl 0.190-1 ii libipc-run-perl 0.92-1 ii libparse-debianchangelog-perl 1.2.0-1 ii libtext-levenshtein-perl 0.06~01-2 ii libtimedate-perl 1.2000-1 ii liburi-perl 1.60-1 ii locales 2.17-3 ii man-db 2.6.3-3 ii patchutils 0.3.2-1.1 ii perl [libdigest-sha-perl] 5.14.2-21 ii t1utils 1.37-2 lintian recommends no packages. Versions of packages lintian suggests: pn binutils-multiarch <none> ii dpkg-dev 1.16.10 ii libhtml-parser-perl 3.71-1 pn libperlio-gzip-perl <none> ii libtext-template-perl 1.45-2 ii man-db 2.6.3-3 ii xz-utils [lzma] 5.1.1alpha+20120614-2 -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org