Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-8377

Debian: the Lintian tests complain about "hardening-no-fortify-functions usr/lib/mysql/plugin/auth_pam.so"

        Details

        • Type: Bug
        • Status: Closed
        • Priority: Critical
        • Resolution: Not a Bug
        • Affects Version/s: 10.0
        • Fix Version/s: N/A
        • Component/s: Compiling
        • Labels:
          None

          Description

          The Lintian tests complain about "hardening-no-fortify-functions usr/lib/mysql/plugin/auth_pam.so"
          http://labs.seravo.fi/~otto/mariadb-repo/mariadb-10.0-sid-amd64/lintian-0f7cb30.log https://lintian.debian.org/tags/hardening-no-fortify-functions.html

            Gliffy Diagrams

              Attachments

                Activity

                Ascending order - Click to sort in descending order
                Hide
                Permalink
                svoj Sergey Vojtovich added a comment -

                According to Lintian:

                Either there are no potentially unfortified functions called by any routines, all unfortified calls have already been fully validated at compile-time, or the package was not built with the default Debian compiler flags defined by dpkg-buildflags.

                If I do hardening-check -v auth_pam.so, I get something like this:

                ...
 Fortify Source functions: no, only unprotected functions found!
	unprotected: strncpy
	unprotected: memcpy
...

                If I do hardening-check -v mysqld, I get something like this:

                ...
 Fortify Source functions: yes (some protected functions found)
	unprotected: strncpy
	unprotected: memcpy
	protected: strncpy
	protected: memcpy
...

                According to code analysis both calls could have been validated during compile time (there're obvious boundary checks). So I assume there indeed "no potentially unfortified functions called by any routines".

                Show
                svoj Sergey Vojtovich added a comment - According to Lintian: Either there are no potentially unfortified functions called by any routines, all unfortified calls have already been fully validated at compile-time, or the package was not built with the default Debian compiler flags defined by dpkg-buildflags. If I do hardening-check -v auth_pam.so, I get something like this: ... Fortify Source functions: no, only unprotected functions found! unprotected: strncpy unprotected: memcpy ... If I do hardening-check -v mysqld, I get something like this: ... Fortify Source functions: yes (some protected functions found) unprotected: strncpy unprotected: memcpy protected: strncpy protected: memcpy ... According to code analysis both calls could have been validated during compile time (there're obvious boundary checks). So I assume there indeed "no potentially unfortified functions called by any routines".
                Hide
                Permalink
                svoj Sergey Vojtovich added a comment -

                Otto Kekäläinen, could you review my findings? I believe it was false positive.

                Show
                svoj Sergey Vojtovich added a comment - Otto Kekäläinen , could you review my findings? I believe it was false positive.
                Hide
                Permalink
                otto Otto Kekäläinen added a comment -

                I don't understand the topic good enough to validate/invalidate your findings.

                Show
                otto Otto Kekäläinen added a comment - I don't understand the topic good enough to validate/invalidate your findings.
                Hide
                Permalink
                svoj Sergey Vojtovich added a comment -

                Then closing this as not a bug. Should we report this false positive to lintian?

                Show
                svoj Sergey Vojtovich added a comment - Then closing this as not a bug. Should we report this false positive to lintian?
                Hide
                Permalink
                otto Otto Kekäläinen added a comment -

                Ok, I also added an Lintian override https://github.com/ottok/mariadb-10.0/commit/53ec8b7dd63ed47bf44d92207f188f8db63be1f1

                Show
                otto Otto Kekäläinen added a comment - Ok, I also added an Lintian override https://github.com/ottok/mariadb-10.0/commit/53ec8b7dd63ed47bf44d92207f188f8db63be1f1
                Hide
                Permalink
                otto Otto Kekäläinen added a comment -

                There are no other complaints about hardening in the package by Lintian at the moment: https://lintian.debian.org/full/pkg-mysql-maint@lists.alioth.debian.org.html#mariadb-10.0_10.0.20-1

                Show
                otto Otto Kekäläinen added a comment - There are no other complaints about hardening in the package by Lintian at the moment: https://lintian.debian.org/full/pkg-mysql-maint@lists.alioth.debian.org.html#mariadb-10.0_10.0.20-1

                  People

                  • Assignee:
                    svoj Sergey Vojtovich
                    Reporter:
                    svoj Sergey Vojtovich
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    3 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: