Hi all,
with ION package I've got these false positive:
9 unprotected: recvfrom
8 unprotected: recv
8 unprotected: memset
6 unprotected: read
6 unprotected: memcpy
while I'm using -D_FORTIFY_SOURCE=2 during build.
--
Ubuntu
Hi Niels,
On 22/05/12 14:05, Niels Thykier wrote:
> [2] // Poor man's strdup
> #include
> #include
> #include
>
> int main(int argc, char **argv) {
> const char *s = argv[0];
> size_t l = strlen(s);
> char *cpy = malloc (l + 1);
> if (!cpy)
> return 1;
> strcpy(cpy, s);
> cpy[0
On Tue, May 22, 2012 at 12:54:19PM +0200, Niels Thykier wrote:
> On 2012-05-21 20:25, Modestas Vainius wrote:
> For the record, I have just demoted no-stackprotector to a wild-guess
> (thus, it is now an I tag) and moved it to a separate profile
> (debian/extra-hardening) so it is no longer enabled
On 2012-05-22 13:05, Niels Thykier wrote:
> [...]
>
> Turns out hardening-check has a verbose flag that makes it print the
> affected functions - testing amarok (testing i386) I got[1]. Looks like
> memcpy is the primary source of false-positives (for amarok).
>
> If it turns out that memcpy is
On 2012-05-22 12:54, Niels Thykier wrote:
> On 2012-05-21 20:25, Modestas Vainius wrote:
>> Hello,
>>
>
> Hi,
>
> [...]
>
> We use hardening-check (from hardening-includes) - as I recall it
> carries a list of "unprotected functions" and checks for them (via
> readelf). It maps them to a "safe-
On 2012-05-21 20:25, Modestas Vainius wrote:
> Hello,
>
Hi,
For the record, I have just demoted no-stackprotector to a wild-guess
(thus, it is now an I tag) and moved it to a separate profile
(debian/extra-hardening) so it is no longer enabled by default.
> On šeštadienis 19 Gegužė 2012 19:49:1
Hello,
On šeštadienis 19 Gegužė 2012 19:49:14 Russ Allbery wrote:
> Sven Joachim writes:
> > Easier said then done, how should I override this warning:
> >
> > ,
> >
> > | W: libncurses5: hardening-no-fortify-functions
> > | usr/lib/i386-linux-gnu/libmenu.so.5.9
> >
> > `
>
> libncurs
Sven Joachim writes:
> Easier said then done, how should I override this warning:
> ,
> | W: libncurses5: hardening-no-fortify-functions
> usr/lib/i386-linux-gnu/libmenu.so.5.9
> `
libncurses5 binary: hardening-no-fortify-functions usr/lib/*/libmenu.so.*
--
Russ Allbery (r...@debian.
On 2012-05-18 22:34 +0200, Russ Allbery wrote:
> Ralf Jung writes:
>
>> I'd like to extend this to hardening-no-fortify-functions: My package
>> definitely has -D_FORTIFY_SOURCE=2 set (an excerpt from the build flags:
>> "-fstack-protector --param=ssp-buffer-size=4 -Wformat
>> -Werror=format-secu
Ralf Jung writes:
> I'd like to extend this to hardening-no-fortify-functions: My package
> definitely has -D_FORTIFY_SOURCE=2 set (an excerpt from the build flags:
> "-fstack-protector --param=ssp-buffer-size=4 -Wformat
> -Werror=format-security -D_FORTIFY_SOURCE=2"), but I get a
> hardening-no-
Hi,
I'd like to extend this to hardening-no-fortify-functions: My package
definitely has -D_FORTIFY_SOURCE=2 set (an excerpt from the build flags:
"-fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security
-D_FORTIFY_SOURCE=2"), but I get a hardening-no-stackprotector and hard
Package: lintian
Version: 2.5.7
Severity: normal
The new hardening warnings are certainly a useful reminder to use
dpkg-buildflags, but especially hardening-no-stackprotector seems to
have a high number of false positives. In ncurses-examples alone there
are no less than 40 hardening-no-stackprot
12 matches
Mail list logo
