Bug#656656: Please enabled hardened build flags

Fri, 27 Jan 2012 09:33:19 -0800 

Moritz Muehlenhoff <j...@inutil.org> writes:

> It appears to be an issue in the xmltooling build system:

> $ readelf -sW /usr/lib/x86_64-linux-gnu/libxmltooling-lite.so.5.0.2 | grep 
> 'mem[cpy|set]'
>     45: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND memcmp@GLIBC_2.2.5 
> (6)
>     50: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND memset@GLIBC_2.2.5 
> (6)
>    212: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND memcpy@GLIBC_2.2.5 
> (6)
>  
> It should rather use the fortified counter parts,
> e.g. __memcpy_chk@GLIBC_2.3.4

Hm.  Well, the xmltooling build system is straightforward Autoconf and
Automake, and I'm really at a loss as to what the build system could
possibly be doing that would cause this.  You can see from the build log
that the right flag is being passed to the compiler:

/bin/sh ../libtool --silent --tag=CXX   --mode=compile g++ -DHAVE_CONFIG_H -I. 
-I..   -pthread -g -Wall -O2 -O2 -DNDEBUG -D_FORTIFY_SOURCE=2    -pthread -Wall 
-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security 
-Werror=format-security -O2 -DNDEBUG -c -o 
AbstractAttributeExtensibleXMLObject.lo AbstractAttributeExtensibleXMLObject.cpp
/bin/sh ../libtool --silent --tag=CXX   --mode=compile g++ -DHAVE_CONFIG_H -I. 
-I..   -pthread -g -Wall -O2 -O2 -DNDEBUG -D_FORTIFY_SOURCE=2    -pthread -Wall 
-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security 
-Werror=format-security -O2 -DNDEBUG -c -o AbstractComplexElement.lo 
AbstractComplexElement.cpp

etc.  And there are no references to _FORTIFY_SOURCE anywhere in the code
base, so nothing is undefining it.

So I have no idea what to tell upstream, since I can't figure out what
they could possibly fix.

_FORTIFY_SOURCE appears to work at the level of the included headers and
the preprocessor.  Is it at all possible that the calls to memcmp, memset,
and memcpy that aren't being transformed are internally-generated calls
created by the compiler for things like struct copies?

-- 
Russ Allbery (r...@debian.org)               <http://www.eyrie.org/~eagle/>



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to