Package: lintian Version: 2.5.4 Followup-For: Bug #650536 Hi,
I was informed (and have verified) that hardening-check uses "ldd(1)". Unfortunately, ldd(1) appears to be (semi-)executing the binaries it is run on[1]. This smells like a CVE in the making, so would it be possible for you to update hardening-check to use readelf instead[2]? ~Niels [1] Quote /usr/bin/ldd: """ # This is the `ldd' command, which lists what shared libraries are # used by given dynamically-linked executables. It works by invoking the # run-time dynamic linker as a command and setting the environment # variable LD_TRACE_LOADED_OBJECTS to a non-empty value. """ Also take a look at #514408. [2] objdump might work as well, but we are slowly migrating away from it due to issues like #604047. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
