Moritz Muehlenhoff <[email protected]> writes: > Please enabled hardened build flags through dpkg-buildflags.
> I've attached a partial patch. It enables a protected stack and > read-only relocs. > Fortified source functions are not properly enabled. I haven't debugged > this further, but it seems as if CPPFLAGS (-D_FORTIFY_SOURCE=2) isn't > properly propagated in the upstream build system. You might want to take > this upstream or clone the bug. I took a look at the latter part of this, and so far as I can tell, CPPFLAGS are properly propagated. I see the -D appearing on all the compilation lines correctly, but hardening-check doesn't see the effects. I did notice that libxmltooling-lite, which is the same code built to disable some features, shows up in hardening-check with: Fortify Source functions: unknown, no protectable libc functions used I'm wondering if possibly libxmltooling just has so few protectable functions that the few that it has aren't eligible for some reason. But so far as I can tell, upstream isn't doing anything wrong here, and the issue is something else: either there's some sort of problem with how the compiler and library implement this that causes it to miss this code base, or the functinos aren't eligible. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

