[hardening-discuss] Bug#578488: hardening-check fails to detect stack-protected/fortified binaries
Romain Francoise
rfrancoise at debian.org
Tue Apr 20 09:09:21 UTC 2010
Package: hardening-includes
Version: 1.26
Severity: normal
hardening-check thinks that my program does not have stack protection
and fortify source, but I am pretty sure it does:
$ hardening-check /usr/bin/tmux
/usr/bin/tmux:
Position Independent Executable: yes
Stack protected: no, not found!
Fortify Source functions: no, not found!
Read-only relocations: yes
Immediate binding: yes
zsh: exit 1 hardening-check /usr/bin/tmux
$
There seems to be a bug in the sed invocation used to filter readelf's
output for RELOC_REPORT. The call used in hardening-wrapper 1.26 is:
sed -e 's/ \([0-9]+\)$//g; s/.* //g; s/@.*//g;'
The first expression (to remove the parenthesized number at eol) is
buggy: sed is called with basic expression syntax, so the parentheses
need not be escaped, and the + sign should be. It looks that you wanted
to use extended regexp syntax, so adding -r to the sed call is necessary
for the expression to match.
Thanks,
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (900, 'unstable'), (850, 'testing'), (800, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-- no debconf information
More information about the hardening-discuss
mailing list