[Neurodebian-upstream] False positives for lintian hardening tags

Sebastian Eichelbaum eichelbaum at informatik.uni-leipzig.de
Wed Jan 23 10:59:22 UTC 2013 

Hi Everyone

I currently maintain the debian package of OpenWalnut. We provide a package containing several plugins for the software in the form of several separate libraries in /usr/lib/openwalnut. Unfortunately, Lintian complains about missing hardening options and warns with these tags

* hardening-no-fortify-functions
* hardening-no-stackprotector

I have checked whether our build system (cmake) is using the proper flags from dpkg-buildflags which outputs all the needed fortify/hardening options required by the debian wiki (http://wiki.debian.org/Hardening).

... and yes it is using the correct flags:

Compilation:
/usr/bin/c++ -DsuperquadricGlyphs_EXPORTS -D_FORTIFY_SOURCE=2 -DBOOST_FILESYSTEM_VERSION=3 -DEIGEN_DONT_VECTORIZE -DEIGEN_DONT_ALIGN -DEIGEN_DISABLE_UNALIGNED_ARRAY_ASSERT -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -frtti -pedantic -std=c++98 -Wall -Wno-long-long -Wextra  -O3 -fPIC -I/build/owpack-deb-sid-amd64/OpenWalnut-1.3.0+hg5830/src -I/build/owpack-deb-sid-amd64/OpenWalnut-1.3.0+hg5830/build/versionHeader -I/usr/include/eigen3    -o CMakeFiles/superquadricGlyphs.dir/superquadricGlyphs/WMSuperquadricGlyphs.cpp.o -c /build/owpack-deb-sid-amd64/OpenWalnut-1.3.0+hg5830/src/modules/superquadriGlyphs/WMSuperquadricGlyphs.cpp

Linking:
/usr/bin/c++ -fPIC -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -frtti -pedantic -std=c++98 -Wall -Wno-long-long -Wextra  -O3 -Wl,-z,relro -Wl,--no-undefined -Wl,--allow-shlib-undefined,--as-needed -shared -Wl,-soname,libsuperquadricGlyphs.so.1 -o ../lib/openwalnut/superquadricGlyphs/libsuperquadricGlyphs.so.1.3.0 CMakeFiles/superquadricGlyphs.dir/superquadricGlyphs/WMSuperquadricGlyphs.cpp.o -lstdc++ -lm ../lib/libopenwalnut.so.1.3.0 -lboost_program_options-mt -lboost_thread-mt -lpthread -lboost_filesystem-mt -lboost_date_time-mt -lboost_system-mt -lboost_signals-mt -lboost_regex-mt -lGL -losgDB -losgUtil -losgGA -losgViewer -losgSim -losgWidget -losgText -losg -lOpenThreads -lstdc++ -lm -ldl -lGL -losgDB -losgUtil -losgGA -losgViewer -losgSim -losgWidget -losgText -losg -lOpenThreads -Wl,-rpath,/build/owpack-deb-sid-amd64/OpenWalnut-1.3.0+hg5830/build/lib: 

In these lines you will find the dpkg-buildflags:

CXX Flags: -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security
LD Flags: -Wl,-z,relro

The strange thing is that these lintian warnings get thrown only for the plugin package. The main package containing our lib an executable does not throw this warnings. Maybe you know a proper solution (besides overriding these lintian tags) to get this fixed. Maybe one of our other build flags overrides some hardening option?


Thank you in advance
and have a nice week.

Sebastian

-- 
Dipl.-Inf. Sebastian Eichelbaum
Universität Leipzig
Institut für Informatik
Abteilung Bild- und Signalverarbeitung
PF 100920
D-04009 Leipzig

More information about the Neurodebian-upstream mailing list