-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all,
I am packaging a new upstream version of gwyddion (to be found in Debian Med SVN) and lintian brought up quite some warnings concerning hardening stuff. My knowledge in that direction is extremely limited, so I am seeking advice here. Lintian complains several times similar to this: - ---------- W: gwyddion: hardening-no-stackprotector usr/lib/gwyddion/modules/file/ambfile.so N: N: This package provides an ELF binary that lacks the stack protector N: function __stack_chk_fail. Either there are no character arrays used on N: the stack of any routines, or the package was not built with the default N: Debian compiler flags defined by dpkg-buildflags. If built using N: dpkg-buildflags directly, be sure to import CFLAGS and/or CXXFLAGS. N: N: Refer to http://wiki.debian.org/Hardening for details. - ---------- When looking at the relevant section of the build-log, I feel, that the - -fstack-protector option is given during compile: - ---------- # source='ambfile.c' object='ambfile.lo' libtool=yes /bin/bash ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. - -I../.. -I../.. -DG_LOG_DOMAIN=\"Module\" -D_FORTIFY_SOURCE=2 -Wall -W - -Wshadow -Wpointer-arith -Wno-sign-compare -Wundef - -Werror-implicit-function-declaration -Wno-system-headers - -Wno-pointer-sign -Wno-format-zero-length -Wdeclaration-after-statement - -Wredundant-decls -I/usr/include/glib-2.0 - -I/usr/lib/x86_64-linux-gnu/glib-2.0/include -pthread - -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include - -pthread -I/usr/include/pango-1.0 -I/usr/include/freetype2 - -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include - -I/usr/include/gtk-2.0 -I/usr/lib/x86_64-linux-gnu/gtk-2.0/include - -I/usr/include/gio-unix-2.0/ -I/usr/include/cairo - -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/pixman-1 - -I/usr/include/libpng12 -I/usr/include/atk-1.0 -I/usr/include/gtkglext-1.0 - -I/usr/lib/gtkglext-1.0/include -fno-trapping-math -fno-math-errno -g - -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat - -Werror=format-security -Wall -c -o ambfile.lo ambfile.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. - -DG_LOG_DOMAIN=\"Module\" -D_FORTIFY_SOURCE=2 -Wall -W -Wshadow - -Wpointer-arith -Wno-sign-compare -Wundef - -Werror-implicit-function-declaration -Wno-system-headers - -Wno-pointer-sign -Wno-format-zero-length -Wdeclaration-after-statement - -Wredundant-decls -I/usr/include/glib-2.0 - -I/usr/lib/x86_64-linux-gnu/glib-2.0/include -pthread - -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include - -pthread -I/usr/include/pango-1.0 -I/usr/include/freetype2 - -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include - -I/usr/include/gtk-2.0 -I/usr/lib/x86_64-linux-gnu/gtk-2.0/include - -I/usr/include/gio-unix-2.0/ -I/usr/include/cairo - -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/pixman-1 - -I/usr/include/libpng12 -I/usr/include/atk-1.0 -I/usr/include/gtkglext-1.0 - -I/usr/lib/gtkglext-1.0/include -fno-trapping-math -fno-math-errno -g -O2 - -fstack-protector --param=ssp-buffer-size=4 -Wformat - -Werror=format-security -Wall -c ambfile.c -fPIC -DPIC -o .libs/ambfile.o /bin/bash ../../libtool --tag=CC --mode=link gcc -Wall -W -Wshadow - -Wpointer-arith -Wno-sign-compare -Wundef - -Werror-implicit-function-declaration -Wno-system-headers - -Wno-pointer-sign -Wno-format-zero-length -Wdeclaration-after-statement - -Wredundant-decls -I/usr/include/glib-2.0 - -I/usr/lib/x86_64-linux-gnu/glib-2.0/include -pthread - -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include - -pthread -I/usr/include/pango-1.0 -I/usr/include/freetype2 - -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include - -I/usr/include/gtk-2.0 -I/usr/lib/x86_64-linux-gnu/gtk-2.0/include - -I/usr/include/gio-unix-2.0/ -I/usr/include/cairo - -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/pixman-1 - -I/usr/include/libpng12 -I/usr/include/atk-1.0 -I/usr/include/gtkglext-1.0 - -I/usr/lib/gtkglext-1.0/include -fno-trapping-math -fno-math-errno -g - -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat - -Werror=format-security -Wall -avoid-version -module -Wl,-z,relro -o ambfile.la -rpath /usr/lib/gwyddion/modules/file ambfile.lo libtool: link: gcc -shared -fPIC -DPIC .libs/ambfile.o -pthread - -pthread -O2 -Wl,-z -Wl,relro -pthread -Wl,-soname -Wl,ambfile.so -o .libs/ambfile.so libtool: link: ( cd ".libs" && rm -f "ambfile.la" && ln -s "../ambfile.la" "ambfile.la" ) \ - ---------- Is it okay to ignore the Lintian warning (maybe its logic is not quite perfect?) or do I need to do something to really implement this correctly? There are also some more lintian warnings concerning hardening-no-fortify-functions, but I think, once I understood the above, these ones should work similar. Thanks for any help! Best regards, Jan - -- Jan Beyer happy Debian Maintainer ;-) mail [email protected] GPG key ID 0x0CA6B4AA jabber [email protected] web http://www.beathovn.de/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/DycwACgkQ8eMP5QymtKqVxACdG36ZxcfAnGzxaKyeFodmXIdB oiMAniT4JmSQ66QgLytFUsiuA6tCqWTS =TLbK -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
