On Wed, Jul 04, 2012 at 02:03:57PM -0400, Asheesh Laroia wrote:
> I'm concerned by the following lintian warnings on mentors,
> which I can reproduce locally:
>
> W: liblastfm-fingerprint0: hardening-no-fortify-functions
> usr/lib/x86_64-linux-gnu/liblastfm_fingerprint.so.0.4.0
> W: liblastfm0: hardening-no-fortify-functions
> usr/lib/x86_64-linux-gnu/liblastfm.so.0.4.0
>
> Other than that, this seems reasonable so far!
Yes, those warnings concern me too. The build uses -O2 &
-D_FORTIFY_SOURCE=2, but running hardening-check --verbose on each of
the libraries shows this:
/usr/lib/x86_64-linux-gnu/liblastfm.so.0.4.0:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
unprotected: strncpy
unprotected: fread
Read-only relocations: yes
Immediate binding: no, not found!
/usr/lib/x86_64-linux-gnu/liblastfm_fingerprint.so.0.4.0:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
unprotected: memset
unprotected: memmove
unprotected: memcpy
Read-only relocations: yes
Immediate binding: no, not found!
I don't know which of these--if any--are false positives. Any help
would be appreciated.
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: http://lists.debian.org/20120704193041.GA22142@panurge
