dovecot - Mar 2018 - debian lintian warn: hardening-no-fortify-functions

Hello,

to build + packages dovecot I use the usual Debian tool chain. That includes
build with selected GCC options and running lintian.

I notice since a long time (read: many earlier versions, up to 2.2.35) this
lintian warnings:

I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/auth
N: 
N:    This package provides an ELF binary that lacks the use of fortified libc
N:    functions. Either there are no potentially unfortified functions called
N:    by any routines, all unfortified calls have already been fully validated
N:    at compile-time, or the package was not built with the default Debian
N:    compiler flags defined by dpkg-buildflags. If built using
N:    dpkg-buildflags directly, be sure to import CPPFLAGS.
N:    
N:    NB: Due to false-positives, Lintian ignores some unprotected functions
N:    (e.g. memcpy).
N:    
N:    Refer to https://wiki.debian.org/Hardening and
N:    https://bugs.debian.org/673112 for details.
N:    
N:    Severity: normal, Certainty: wild-guess
N:    
N:    Check: binaries, Type: binary, udeb
N: 
I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/config
I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/director
I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/gdbhelper
I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/imap
I: dovecot-core: hardening-no-fortify-functions
usr/lib/dovecot/libdovecot-login.so.0.0.0
I: dovecot-core: hardening-no-fortify-functions
usr/lib/dovecot/libdovecot-storage.so.0.0.0
I: dovecot-core: hardening-no-fortify-functions
usr/lib/dovecot/modules/lib10_quota_plugin.so
I: dovecot-core: hardening-no-fortify-functions
usr/lib/dovecot/modules/lib20_fts_plugin.so
I: dovecot-core: hardening-no-fortify-functions
usr/lib/dovecot/modules/lib20_replication_plugin.so
I: dovecot-core: hardening-no-fortify-functions
usr/lib/dovecot/modules/lib99_welcome_plugin.so
I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/quota-status
I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/script
I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/script-login
I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/xml2text

As you may note, not all binaries are affected. doveadm, doveconf or dovecot
aren't for example.

My (simplyfied) debian/rules:
	#!/usr/bin/make -f

	export DEB_BUILD_MAINT_OPTIONS = hardening=+all
	DPKG_EXPORT_BUILDFLAGS = 1
	include /usr/share/dpkg/buildflags.mk

	include /usr/share/cdbs/1/rules/debhelper.mk
	include /usr/share/cdbs/1/class/autotools.mk

	DEB_DH_STRIP_ARGS = --dbg-package=dovecot-core-dbg

This result in that call to configure:

CFLAGS="-g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=.
-fstack-protector-strong -Wformat -Werror=format-security"
CXXFLAGS="-g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=.
-fstack-protector-strong -Wformat -Werror=format-security"
CPPFLAGS="-Wdate-time -D_FORTIFY_SOURCE=2" LDFLAGS="-Wl,-z,relro
-Wl,-z,now" /<<PKGBUILDDIR>>/./configure
--build=x86_64-linux-gnu --prefix=/usr
--includedir="\${prefix}/include"
--mandir="\${prefix}/share/man"
--infodir="\${prefix}/share/info" --sysconfdir=/etc
--localstatedir=/var --libexecdir="\${prefix}/lib/dovecot" --srcdir=.
--disable-maintainer-mode --disable-dependency-tracking --disable-silent-rules
--libexecdir=/usr/lib --localstatedir=/var --with-statedir=/var/lib/dovecot
--with-moduledir=/usr/lib/dovecot/modules --without-docs

I may provide a full build log if that would be helpful.
To me that looks like not all binaries are build with same CFLAGS / CXXFLAGS /
CPPFLAGS / LDFLAGS

Andreas

> On 30 March 2018 at 15:08 "A. Schulze" <sca at
andreasschulze.de> wrote:
> 
> 
> Hello,
> 
> to build + packages dovecot I use the usual Debian tool chain. That
includes build with selected GCC options and running lintian.
> 
> I notice since a long time (read: many earlier versions, up to 2.2.35) this
lintian warnings:
> 
> I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/auth
> N: 
> N:    This package provides an ELF binary that lacks the use of fortified
libc
> N:    functions. Either there are no potentially unfortified functions
called
> N:    by any routines, all unfortified calls have already been fully
validated
> N:    at compile-time, or the package was not built with the default Debian
> N:    compiler flags defined by dpkg-buildflags. If built using
> N:    dpkg-buildflags directly, be sure to import CPPFLAGS.
> N:    
> N:    NB: Due to false-positives, Lintian ignores some unprotected
functions
> N:    (e.g. memcpy).
> N:    
> N:    Refer to https://wiki.debian.org/Hardening and
> N:    https://bugs.debian.org/673112 for details.
> N:    
> N:    Severity: normal, Certainty: wild-guess
> N:    
> N:    Check: binaries, Type: binary, udeb
> N: 
> I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/config
> I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/director
> I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/gdbhelper
> I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/imap
> I: dovecot-core: hardening-no-fortify-functions
usr/lib/dovecot/libdovecot-login.so.0.0.0
> I: dovecot-core: hardening-no-fortify-functions
usr/lib/dovecot/libdovecot-storage.so.0.0.0
> I: dovecot-core: hardening-no-fortify-functions
usr/lib/dovecot/modules/lib10_quota_plugin.so
> I: dovecot-core: hardening-no-fortify-functions
usr/lib/dovecot/modules/lib20_fts_plugin.so
> I: dovecot-core: hardening-no-fortify-functions
usr/lib/dovecot/modules/lib20_replication_plugin.so
> I: dovecot-core: hardening-no-fortify-functions
usr/lib/dovecot/modules/lib99_welcome_plugin.so
> I: dovecot-core: hardening-no-fortify-functions
usr/lib/dovecot/quota-status
> I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/script
> I: dovecot-core: hardening-no-fortify-functions
usr/lib/dovecot/script-login
> I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/xml2text
> 
> As you may note, not all binaries are affected. doveadm, doveconf or
dovecot aren't for example.
> 
> My (simplyfied) debian/rules:
> 	#!/usr/bin/make -f
> 
> 	export DEB_BUILD_MAINT_OPTIONS = hardening=+all
> 	DPKG_EXPORT_BUILDFLAGS = 1
> 	include /usr/share/dpkg/buildflags.mk
> 
> 	include /usr/share/cdbs/1/rules/debhelper.mk
> 	include /usr/share/cdbs/1/class/autotools.mk
> 
> 	DEB_DH_STRIP_ARGS = --dbg-package=dovecot-core-dbg
> 
> This result in that call to configure:
> 
> CFLAGS="-g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=.
-fstack-protector-strong -Wformat -Werror=format-security"
CXXFLAGS="-g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=.
-fstack-protector-strong -Wformat -Werror=format-security"
CPPFLAGS="-Wdate-time -D_FORTIFY_SOURCE=2" LDFLAGS="-Wl,-z,relro
-Wl,-z,now" /<<PKGBUILDDIR>>/./configure
--build=x86_64-linux-gnu --prefix=/usr
--includedir="\${prefix}/include"
--mandir="\${prefix}/share/man"
--infodir="\${prefix}/share/info" --sysconfdir=/etc
--localstatedir=/var --libexecdir="\${prefix}/lib/dovecot" --srcdir=.
--disable-maintainer-mode --disable-dependency-tracking --disable-silent-rules
--libexecdir=/usr/lib --localstatedir=/var --with-statedir=/var/lib/dovecot
--with-moduledir=/usr/lib/dovecot/modules --without-docs
> 
> I may provide a full build log if that would be helpful.
> To me that looks like not all binaries are build with same CFLAGS /
CXXFLAGS / CPPFLAGS / LDFLAGS
> 
> Andreas
Hi! Dovecot 2.3 has hardening enabled.
 
Aki

> Hi! Dovecot 2.3 has hardening enabled.
OK, I'll give it a try and report if I've results...

Thanks
Andreas