Am Freitag, den 18.01.2013, 18:15 +0100 schrieb Niels Thykier: > Control: forcemerge 685299 -1 > > On 2012-12-07 01:24, Benjamin Drung wrote: > > Package: lintian > > Version: 2.5.10.2 > > Severity: normal > > > > Dear Maintainer, > > > > lintian produces inter alia following output for VLC: > > > > $ lintian vlc_2.0.3-4_amd64.changes > > [...] > > > > The hardening dpkg-buildflags are passed to the build system. The build log > > looks like everything (including CPPFLAGS) is handled correctly. Most of the > > vlc plugins are correctly detected to use fortified libc functions. I see no > > difference in the logs between to detected and non detected plugins. > > Therefore > > I assume that the lintian warnings are false positives. > > > > Versions of packages lintian depends on: > > ii hardening-includes 2.2 > > > > The majority (but not all) of the tags have disappeared with the fix for > #685299. Though I cannot fix all them without completely neutering the > check.
Thanks. The current git version of lintian (29bd97f6) reduces the number of hardening-no-fortify-functions warnings from 61 to 14. Attached the verbose log from hardening-check for the remaining 14 plugins. Should I override these warnings? -- Benjamin Drung Debian & Ubuntu Developer
$ for i in usr/lib/vlc/plugins/access/libpulsesrc_plugin.so usr/lib/vlc/plugins/audio_output/libpulse_plugin.so usr/lib/vlc/plugins/video_output/libxcb_window_plugin.so usr/lib/vlc/plugins/access/libaccess_mtp_plugin.so usr/lib/vlc/plugins/access/libaccess_oss_plugin.so usr/lib/vlc/plugins/access/libdc1394_plugin.so usr/lib/vlc/plugins/access/liblibbluray_plugin.so usr/lib/vlc/plugins/access_output/libaccess_output_file_plugin.so usr/lib/vlc/plugins/access_output/libaccess_output_http_plugin.so usr/lib/vlc/plugins/control/libnetsync_plugin.so usr/lib/vlc/plugins/demux/libmjpeg_plugin.so usr/lib/vlc/plugins/services_discovery/libpodcast_plugin.so usr/lib/vlc/plugins/stream_out/libstream_out_langfromtelx_plugin.so usr/lib/vlc/plugins/stream_out/libstream_out_select_plugin.so; do hardening-check --verbose $i; done usr/lib/vlc/plugins/access/libpulsesrc_plugin.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! unprotected: gethostname Read-only relocations: yes Immediate binding: no, not found! usr/lib/vlc/plugins/audio_output/libpulse_plugin.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! unprotected: gethostname Read-only relocations: yes Immediate binding: no, not found! usr/lib/vlc/plugins/video_output/libxcb_window_plugin.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: yes Fortify Source functions: no, only unprotected functions found! unprotected: gethostname Read-only relocations: yes Immediate binding: no, not found! usr/lib/vlc/plugins/access/libaccess_mtp_plugin.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! unprotected: read Read-only relocations: yes Immediate binding: no, not found! usr/lib/vlc/plugins/access/libaccess_oss_plugin.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! unprotected: read Read-only relocations: yes Immediate binding: no, not found! usr/lib/vlc/plugins/access/libdc1394_plugin.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! unprotected: read unprotected: memcpy Read-only relocations: yes Immediate binding: no, not found! usr/lib/vlc/plugins/access/liblibbluray_plugin.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: yes Fortify Source functions: no, only unprotected functions found! unprotected: strncpy unprotected: memset unprotected: realpath unprotected: memcpy Read-only relocations: yes Immediate binding: no, not found! usr/lib/vlc/plugins/access_output/libaccess_output_file_plugin.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! unprotected: read Read-only relocations: yes Immediate binding: no, not found! usr/lib/vlc/plugins/access_output/libaccess_output_http_plugin.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! unprotected: strncpy unprotected: memcpy Read-only relocations: yes Immediate binding: no, not found! usr/lib/vlc/plugins/control/libnetsync_plugin.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! unprotected: recvfrom unprotected: recv Read-only relocations: yes Immediate binding: no, not found! usr/lib/vlc/plugins/demux/libmjpeg_plugin.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! unprotected: strncpy Read-only relocations: yes Immediate binding: no, not found! usr/lib/vlc/plugins/services_discovery/libpodcast_plugin.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! unprotected: memmove unprotected: stpcpy Read-only relocations: yes Immediate binding: no, not found! usr/lib/vlc/plugins/stream_out/libstream_out_langfromtelx_plugin.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: yes Fortify Source functions: no, only unprotected functions found! unprotected: strncpy Read-only relocations: yes Immediate binding: no, not found! usr/lib/vlc/plugins/stream_out/libstream_out_select_plugin.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: yes Fortify Source functions: no, only unprotected functions found! unprotected: memmove unprotected: recv Read-only relocations: yes Immediate binding: no, not found!
