Package: blhc Version: 0.12-2 Severity: normal Tags: upstream X-Debbugs-Cc: si...@ruderich.org
Hi Simon, The line shown in the subject is being produced from blhc over CMake 3.16 and later versions. See an example below, from obs-advanced-scene-switcher (currently only in Salsa and New Queue): CPPFLAGS missing (-D_FORTIFY_SOURCE=2): /usr/lib/ccache/c++ -dM -E -c /usr/share/cmake-3.18/Modules/CMakeCXXCompilerABI.cpp -DASIO_STANDALONE -DHAVE_OBSCONFIG_H -DQT_CORE_LIB -DQT_GUI_LIB -DQT_NO_DEBUG -DQT_WIDGETS_LIB -DREPLAYBUFFER_SUPPORTED -DVCAM_SUPPORTED -Dadvanced_scene_switcher_EXPORTS -I/builds/debian/obs-advanced-scene-switcher/debian/output/source_dir/obj-x86_64-linux-gnu -I/builds/debian/obs-advanced-scene-switcher/debian/output/source_dir -I/builds/debian/obs-advanced-scene-switcher/debian/output/source_dir/deps/asio/asio/include -I/builds/debian/obs-advanced-scene-switcher/debian/output/source_dir/deps/websocketpp -I/usr/include/obs -I/usr/include/x86_64-linux-gnu/qt5 -I/usr/include/x86_64-linux-gnu/qt5/QtCore -I/usr/lib/x86_64-linux-gnu/qt5/mkspecs/linux-g++ -I/usr/include/x86_64-linux-gnu/qt5/QtWidgets -I/usr/include/x86_64-linux-gnu/qt5/QtGui -I/usr/include/x86_64-linux-gnu -I/usr/include -I/usr/include/c++/10 -I/usr/include/x86_64-linux-gnu/c++/10 -I/usr/include/c++/10/backward -I/usr/lib/gcc/x86_64-linux-gnu/10/include -I/usr/local/include I found an explanation about this line here[1] (CMake Project). A summary: "From that Salsa job (link in the original report) you can see that what blhc (the hardening-tool-enforcement-thing) is complaining about, are the four calls to the compiler like /usr/lib/ccache/c++ -dM -E -c /usr/share/cmake-3.16/Modules/CMakeCXXCompilerABI.cpp . These are obviously false positives, since it's CMake checking compiler flags and the resulting objects never end up in any artefacts from the build. Because CPPFLAGS aren't inserted in there, the calls are flagged, and the tool complains." [1] https://gitlab.kitware.com/cmake/cmake/-/issues/20631#note_746828 Really, I tested a final binary with hardening-check command and I can see: # hardening-check obs-text-slideshow.so Position Independent Executable: no, regular shared library (ignored) Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes Stack clash protection: unknown, no -fstack-clash-protection instructions found Control flow integrity: no, not found! I am getting the same message from blhc in some packages (in my packages packetsender, obs-advanced-scene-switch and obs-text-slideshow). What you think about to add the following line as an exclusion in blhc? /usr/lib/ccache/c++ -dM -E -c /usr/share/cmake-.*/Modules/CMakeCXXCompilerABI.cpp . Now I will use an exclusion via debian/rules. Thanks! Regards, Eriberto
