On 2012-05-22 12:54, Niels Thykier wrote: > On 2012-05-21 20:25, Modestas Vainius wrote: >> Hello, >> > > Hi, > > [...] > > We use hardening-check (from hardening-includes) - as I recall it > carries a list of "unprotected functions" and checks for them (via > readelf). It maps them to a "safe-variant" and checks for that as well. > If both protected and unprotected are used or if no unprotected > functions are used, it should mark it safe. However, I believe Kees > (CC'ed) can correct me on (or confirm) the above. > > ~Niels > > > >
Turns out hardening-check has a verbose flag that makes it print the affected functions - testing amarok (testing i386) I got[1]. Looks like memcpy is the primary source of false-positives (for amarok). If it turns out that memcpy is (in general) the primary source of these false-positives, perhaps it would be better to skip that particular function than disable the entire check. ~Niels [1] $ hardening-check --verbose $(find usr/lib/ -type f) | perl -ne \ 'print if /^\s+(un)?protected:/' | sort | uniq -c 1 protected: fprintf 1 protected: memcpy 1 protected: memmove 1 protected: memset 1 protected: pread64 1 protected: printf 1 protected: realpath 1 protected: snprintf 1 protected: sprintf 1 protected: strcat 1 protected: strcpy 1 protected: strncat 1 protected: strncpy 1 protected: vfprintf 1 protected: vsnprintf 1 unprotected: asprintf 1 unprotected: confstr 1 unprotected: fgets 1 unprotected: fprintf 2 unprotected: fread 1 unprotected: getcwd 1 unprotected: gethostname 43 unprotected: memcpy 1 unprotected: memmove 3 unprotected: memset 1 unprotected: pread64 1 unprotected: printf 1 unprotected: read 1 unprotected: readlink 1 unprotected: recv 1 unprotected: snprintf 2 unprotected: sprintf 1 unprotected: stpcpy 1 unprotected: strcat 2 unprotected: strcpy 2 unprotected: strncpy -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org