Hi all,
with ION package I've got these false positive:
9 unprotected: recvfrom
8 unprotected: recv
8 unprotected: memset
6 unprotected: read
6 unprotected: memcpy
while I'm using -D_FORTIFY_SOURCE=2 during build.
--
Ubuntu
Hi Niels,
On 22/05/12 14:05, Niels Thykier wrote:
[2] // Poor man's strdup
#include stdio.h
#include string.h
#include stdlib.h
int main(int argc, char **argv) {
const char *s = argv[0];
size_t l = strlen(s);
char *cpy = malloc (l + 1);
if (!cpy)
return 1;
strcpy(cpy,
On 2012-05-21 20:25, Modestas Vainius wrote:
Hello,
Hi,
For the record, I have just demoted no-stackprotector to a wild-guess
(thus, it is now an I tag) and moved it to a separate profile
(debian/extra-hardening) so it is no longer enabled by default.
On šeštadienis 19 Gegužė 2012 19:49:14
On 2012-05-22 12:54, Niels Thykier wrote:
On 2012-05-21 20:25, Modestas Vainius wrote:
Hello,
Hi,
[...]
We use hardening-check (from hardening-includes) - as I recall it
carries a list of unprotected functions and checks for them (via
readelf). It maps them to a safe-variant and
On 2012-05-22 13:05, Niels Thykier wrote:
[...]
Turns out hardening-check has a verbose flag that makes it print the
affected functions - testing amarok (testing i386) I got[1]. Looks like
memcpy is the primary source of false-positives (for amarok).
If it turns out that memcpy is (in
On Tue, May 22, 2012 at 12:54:19PM +0200, Niels Thykier wrote:
On 2012-05-21 20:25, Modestas Vainius wrote:
For the record, I have just demoted no-stackprotector to a wild-guess
(thus, it is now an I tag) and moved it to a separate profile
(debian/extra-hardening) so it is no longer enabled by
Hello,
On šeštadienis 19 Gegužė 2012 19:49:14 Russ Allbery wrote:
Sven Joachim svenj...@gmx.de writes:
Easier said then done, how should I override this warning:
,
| W: libncurses5: hardening-no-fortify-functions
| usr/lib/i386-linux-gnu/libmenu.so.5.9
`
libncurses5
On 2012-05-18 22:34 +0200, Russ Allbery wrote:
Ralf Jung p...@ralfj.de writes:
I'd like to extend this to hardening-no-fortify-functions: My package
definitely has -D_FORTIFY_SOURCE=2 set (an excerpt from the build flags:
-fstack-protector --param=ssp-buffer-size=4 -Wformat
Sven Joachim svenj...@gmx.de writes:
Easier said then done, how should I override this warning:
,
| W: libncurses5: hardening-no-fortify-functions
usr/lib/i386-linux-gnu/libmenu.so.5.9
`
libncurses5 binary: hardening-no-fortify-functions usr/lib/*/libmenu.so.*
--
Russ Allbery
Hi,
I'd like to extend this to hardening-no-fortify-functions: My package
definitely has -D_FORTIFY_SOURCE=2 set (an excerpt from the build flags:
-fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security
-D_FORTIFY_SOURCE=2), but I get a hardening-no-stackprotector and
Ralf Jung p...@ralfj.de writes:
I'd like to extend this to hardening-no-fortify-functions: My package
definitely has -D_FORTIFY_SOURCE=2 set (an excerpt from the build flags:
-fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -D_FORTIFY_SOURCE=2), but I get a
Package: lintian
Version: 2.5.7
Severity: normal
The new hardening warnings are certainly a useful reminder to use
dpkg-buildflags, but especially hardening-no-stackprotector seems to
have a high number of false positives. In ncurses-examples alone there
are no less than 40
12 matches
Mail list logo