[hardening-discuss] Bug#759322: False positive in binwalk libraries
Gianfranco Costamagna
costamagnagianfranco at yahoo.it
Tue Aug 26 08:55:20 UTC 2014
Package: hardening-includes
Version: 2.5+nmu1
Severity: Important
Hi maintainer, the last
Steps to reproduce (reproducible on a sid pbuilder clean environment)
# apt-get install binwalk hardening-check
hardening-check /usr/lib/python2.7/dist-packages/binwalk/libs/libcompress42.so
/usr/lib/python2.7/dist-packages/binwalk/libs/libcompress42.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no, not found!
# hardening-check /usr/lib/python2.7/dist-packages/binwalk/libs/libtinfl.so
/usr/lib/python2.7/dist-packages/binwalk/libs/libtinfl.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: no, not found!
I don't think I should blame binwalk since both libraries are built with almost the same Makefile, and I see flags injected correctly
https://buildd.debian.org/status/fetch.php?pkg=binwalk&arch=i386&ver=2.0.1-1&stamp=1408985010
make[3]: Entering directory '/«PKGBUILDDIR»/src/C/miniz'
gcc -Wall -fPIC -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -c tinfl.c
gcc -Wall -fPIC -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -shared -Wl,-soname,libtinfl.so tinfl.o -o libtinfl.so -Wl,-z,relro
chmod +x libtinfl.so
make[3]: Leaving directory '/«PKGBUILDDIR»/src/C/miniz'
cp miniz/*.so "../"./binwalk/libs""
make -C compress
make[3]: Entering directory '/«PKGBUILDDIR»/src/C/compress'
gcc -Wall -fPIC -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 compress42.c -c
gcc -Wall -fPIC -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -shared -Wl,-soname,libcompress42.so compress42.o -o libcompress42.so -Wl,-z,relro
chmod +x libcompress42.so
This is why I'm creating this bug report, because I believe this might be a false positive on your package.
Have many thanks,
Gianfranco
More information about the hardening-discuss
mailing list