Moritz Muehlenhoff <[email protected]> writes:

> Please enabled hardened build flags through dpkg-buildflags.

> I've attached a partial patch. It enables a protected stack and
> read-only relocs.

> Fortified source functions are not properly enabled. I haven't debugged
> this further, but it seems as if CPPFLAGS (-D_FORTIFY_SOURCE=2) isn't
> properly propagated in the upstream build system. You might want to take
> this upstream or clone the bug.

I took a look at the latter part of this, and so far as I can tell,
CPPFLAGS are properly propagated.  I see the -D appearing on all the
compilation lines correctly, but hardening-check doesn't see the effects.

I did notice that libxmltooling-lite, which is the same code built to
disable some features, shows up in hardening-check with:

 Fortify Source functions: unknown, no protectable libc functions used

I'm wondering if possibly libxmltooling just has so few protectable
functions that the few that it has aren't eligible for some reason.

But so far as I can tell, upstream isn't doing anything wrong here, and
the issue is something else: either there's some sort of problem with how
the compiler and library implement this that causes it to miss this code
base, or the functinos aren't eligible.

-- 
Russ Allbery ([email protected])               <http://www.eyrie.org/~eagle/>



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to