Debian Bug report logs - #702349
lintian should not complain about hardening for package written in pure Ocaml

Package: lintian; Maintainer for lintian is Debian Lintian Maintainers <lintian-maint@debian.org>; Source for lintian is src:lintian.

Reported by: Prach Pongpanich <prachpub@gmail.com>

Date: Tue, 5 Mar 2013 15:27:07 UTC

Severity: normal

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#702349; Package lintian. (Tue, 05 Mar 2013 15:27:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Prach Pongpanich <prachpub@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Tue, 05 Mar 2013 15:27:10 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Prach Pongpanich <prachpub@gmail.com>
To: submit@bugs.debian.org
Cc: debian-ocaml-maint@lists.debian.org
Subject: lintian should not complain about hardening for package written in pure Ocaml
Date: Tue, 5 Mar 2013 22:25:45 +0700
Package: lintian

lintian should not complain about hardening for package written in
pure Ocaml [0],[1],[2]


[0] https://lists.debian.org/debian-ocaml-maint/2012/05/msg00091.html
[1] http://lintian.debian.org/maintainer/debian-ocaml-maint@lists.debian.org.html
[2] http://wiki.debian.org/HardeningWalkthrough#What_is_all_this_about.3F

Regrads,

-- 
 ปรัชญ์ พงษ์พานิช
 Prach Pongpanich

 http://prach-public.blogspot.com



Merged 702347 702349 Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 05 Mar 2013 15:33:11 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#702349; Package lintian. (Tue, 05 Mar 2013 15:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niels Thykier <niels@thykier.net>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Tue, 05 Mar 2013 15:39:03 GMT) Full text and rfc822 format available.

Message #12 received at 702349@bugs.debian.org (full text, mbox):

From: Niels Thykier <niels@thykier.net>
To: Prach Pongpanich <prachpub@gmail.com>, 702349@bugs.debian.org
Cc: debian-ocaml-maint@lists.debian.org
Subject: Re: Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
Date: Tue, 05 Mar 2013 16:35:17 +0100
On 2013-03-05 16:25, Prach Pongpanich wrote:
> Package: lintian
> 
> lintian should not complain about hardening for package written in
> pure Ocaml [0],[1],[2]
> 
> 
> [0] https://lists.debian.org/debian-ocaml-maint/2012/05/msg00091.html
> [1] http://lintian.debian.org/maintainer/debian-ocaml-maint@lists.debian.org.html
> [2] http://wiki.debian.org/HardeningWalkthrough#What_is_all_this_about.3F
> 
> Regrads,
> 

Does ELF binaries produced by "pure" Ocaml have any distinct feature
that can be used to tell them apart from any other ELF binary?

~Niels





Disconnected #702347 from all other report(s). Request was from Prach Pongpanich <prachpub@gmail.com> to control@bugs.debian.org. (Tue, 05 Mar 2013 15:45:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#702349; Package lintian. (Tue, 05 Mar 2013 20:09:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stéphane Glondu <glondu@crans.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Tue, 05 Mar 2013 20:09:12 GMT) Full text and rfc822 format available.

Message #19 received at 702349@bugs.debian.org (full text, mbox):

From: Stéphane Glondu <glondu@crans.org>
To: Niels Thykier <niels@thykier.net>
Cc: Prach Pongpanich <prachpub@gmail.com>, 702349@bugs.debian.org, debian-ocaml-maint@lists.debian.org
Subject: Re: Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
Date: Tue, 05 Mar 2013 20:57:01 +0100
Le 05/03/2013 16:35, Niels Thykier a écrit :
> Does ELF binaries produced by "pure" Ocaml have any distinct feature
> that can be used to tell them apart from any other ELF binary?

ELF binaries produced by the OCaml compiler always include a bit of C
code (the runtime), so they are never actually "pure".

I don't think that the lintian tag (whatever its level) should be
removed at the moment. I am not planning to have a deeper looker at this
issue before next release or next debconf, though.


Cheers,

-- 
Stéphane




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#702349; Package lintian. (Wed, 06 Mar 2013 09:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Hendrik Tews <tews@os.inf.tu-dresden.de>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Wed, 06 Mar 2013 09:06:03 GMT) Full text and rfc822 format available.

Message #24 received at 702349@bugs.debian.org (full text, mbox):

From: Hendrik Tews <tews@os.inf.tu-dresden.de>
To: 702349@bugs.debian.org
Cc: Prach Pongpanich <prachpub@gmail.com>, Niels Thykier <niels@thykier.net>, debian-ocaml-maint@lists.debian.org
Subject: Re: Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
Date: Wed, 06 Mar 2013 09:37:00 +0100
Prach Pongpanich <prachpub@gmail.com> writes:

   lintian should not complain about hardening for package written in
   pure Ocaml [0],[1],[2]

The problem is, that even pure OCaml contains enough features
that may permit arbitrary memory corruptions by an attacker. For
instance, String.unsafe_blit has no bounds checks, Obj.magic is
an unsafe cast, Marshal.from_channel may break the type
system, ...

Moreover, it is almost impossible to avoid these unsafe
functions, because they are used in the standard library. 

In principle I agree, that programs written in a certain subset
of OCaml do not need these hardening features. However, at the
moment this safe subset is not even identified...

Bye,

Hendrik



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#702349; Package lintian. (Wed, 06 Mar 2013 09:45:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stéphane Glondu <glondu@crans.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Wed, 06 Mar 2013 09:45:05 GMT) Full text and rfc822 format available.

Message #29 received at 702349@bugs.debian.org (full text, mbox):

From: Stéphane Glondu <glondu@crans.org>
To: Hendrik Tews <tews@os.inf.tu-dresden.de>
Cc: 702349@bugs.debian.org, Prach Pongpanich <prachpub@gmail.com>, Niels Thykier <niels@thykier.net>, debian-ocaml-maint@lists.debian.org
Subject: Re: Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
Date: Wed, 06 Mar 2013 10:41:55 +0100
Le 06/03/2013 09:37, Hendrik Tews a écrit :
> In principle I agree, that programs written in a certain subset
> of OCaml do not need these hardening features. However, at the
> moment this safe subset is not even identified...

OCaml has a built-in notion of "unsafe" feature (see ocamlobjinfo
output) that could serve as a starting point for that.


Cheers,

-- 
Stéphane



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#702349; Package lintian. (Wed, 06 Mar 2013 09:51:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Hendrik Tews <tews@os.inf.tu-dresden.de>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Wed, 06 Mar 2013 09:51:12 GMT) Full text and rfc822 format available.

Message #34 received at 702349@bugs.debian.org (full text, mbox):

From: Hendrik Tews <tews@os.inf.tu-dresden.de>
To: 702349@bugs.debian.org
Cc: Prach Pongpanich <prachpub@gmail.com>, Niels Thykier <niels@thykier.net>, debian-ocaml-maint@lists.debian.org
Subject: Re: Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
Date: Wed, 6 Mar 2013 10:48:26 +0100
   
   OCaml has a built-in notion of "unsafe" feature (see ocamlobjinfo
   output) that could serve as a starting point for that.
   
Yes, I tried this on 

    let f b =
      let a = "abcde" in
      let c = Obj.magic b in
      String.unsafe_blit c 0 a 0 5

For the .cmo, ocamlobjinfo surprisingly reports

   Uses unsafe features: no

and for the .cmx it doesn't say anything about unsafe features.

Bye,

Hendrik



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#702349; Package lintian. (Wed, 06 Mar 2013 09:57:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stéphane Glondu <glondu@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Wed, 06 Mar 2013 09:57:07 GMT) Full text and rfc822 format available.

Message #39 received at 702349@bugs.debian.org (full text, mbox):

From: Stéphane Glondu <glondu@debian.org>
To: Hendrik Tews <tews@os.inf.tu-dresden.de>
Cc: 702349@bugs.debian.org, Prach Pongpanich <prachpub@gmail.com>, Niels Thykier <niels@thykier.net>, debian-ocaml-maint@lists.debian.org
Subject: Re: Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
Date: Wed, 06 Mar 2013 10:55:06 +0100
Le 06/03/2013 10:48, Hendrik Tews a écrit :
>    OCaml has a built-in notion of "unsafe" feature (see ocamlobjinfo
>    output) that could serve as a starting point for that.
>    
> Yes, I tried this on 
> 
>     let f b =
>       let a = "abcde" in
>       let c = Obj.magic b in
>       String.unsafe_blit c 0 a 0 5
> 
> For the .cmo, ocamlobjinfo surprisingly reports
> 
>    Uses unsafe features: no
> 
> and for the .cmx it doesn't say anything about unsafe features.

But Obj (obviously) uses unsafe features!

Sure, Pervasives also uses unsafe features, but I was thinking about
adding some kind of whitelist system.

I was trying to be very cautious when I said "notion" and "starting
point" and put quotes around "unsafe"...


Cheers,

-- 
Stéphane



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#702349; Package lintian. (Mon, 06 Jan 2014 15:36:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Mon, 06 Jan 2014 15:36:05 GMT) Full text and rfc822 format available.

Message #44 received at 702349@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Stéphane Glondu <glondu@crans.org>
Cc: Niels Thykier <niels@thykier.net>, Prach Pongpanich <prachpub@gmail.com>, 702349@bugs.debian.org, debian-ocaml-maint@lists.debian.org
Subject: Re: Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
Date: Mon, 6 Jan 2014 16:24:38 +0100
On Tue, Mar 05, 2013 at 08:57:01PM +0100, Stéphane Glondu wrote:
> Le 05/03/2013 16:35, Niels Thykier a écrit :
> > Does ELF binaries produced by "pure" Ocaml have any distinct feature
> > that can be used to tell them apart from any other ELF binary?
> 
> ELF binaries produced by the OCaml compiler always include a bit of C
> code (the runtime), so they are never actually "pure".
> 
> I don't think that the lintian tag (whatever its level) should be
> removed at the moment. I am not planning to have a deeper looker at this
> issue before next release or next debconf, though.

Could you please add a note to https://wiki.debian.org/HardeningWalkthrough
that while Ocaml packages produce ELF binaries they are not covered by
the hardening effort?

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#702349; Package lintian. (Mon, 03 Feb 2014 16:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stéphane Glondu <glondu@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Mon, 03 Feb 2014 16:45:04 GMT) Full text and rfc822 format available.

Message #49 received at 702349@bugs.debian.org (full text, mbox):

From: Stéphane Glondu <glondu@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Niels Thykier <niels@thykier.net>, Prach Pongpanich <prachpub@gmail.com>, 702349@bugs.debian.org, debian-ocaml-maint@lists.debian.org
Subject: Re: Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
Date: Mon, 03 Feb 2014 17:42:35 +0100
Le 06/01/2014 16:24, Moritz Muehlenhoff a écrit :
>> Le 05/03/2013 16:35, Niels Thykier a écrit :
>>> Does ELF binaries produced by "pure" Ocaml have any distinct feature
>>> that can be used to tell them apart from any other ELF binary?
>>
>> ELF binaries produced by the OCaml compiler always include a bit of C
>> code (the runtime), so they are never actually "pure".
>>
>> I don't think that the lintian tag (whatever its level) should be
>> removed at the moment. I am not planning to have a deeper looker at this
>> issue before next release or next debconf, though.
> 
> Could you please add a note to https://wiki.debian.org/HardeningWalkthrough
> that while Ocaml packages produce ELF binaries they are not covered by
> the hardening effort?

I just did that.

BTW, the OCaml build system is quite messy and it will take longer than
expected to "fix" it for hardening...

Cheers,

-- 
Stéphane



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 10:44:11 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.