/usr/share/lintian/checks/binaries.desc is in lintian 2.5.10.4.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 | Check-Script: binaries
Author: Christian Schwarz <schwarz@debian.org>
Abbrev: bin
Type: binary, udeb
Needs-Info: hardening-info, objdump-info, file-info, strings, index
Info: This script checks binaries and object files for bugs.
Tag: arch-independent-package-contains-binary-or-object
Severity: serious
Certainty: possible
Info: The package contains a binary or object file but is tagged
Architecture: all.
.
If this package contains binaries or objects for cross-compiling or
binary blobs for other purposes independent of the host architecture
(such as BIOS updates or firmware), please add a Lintian override.
Tag: unstripped-binary-or-object
Severity: important
Certainty: certain
Ref: policy 10.1, policy 10.2
Info: The package installs an unstripped binary or object file.
.
Please note, that shared libraries have to be stripped with the
<tt>--strip-unneeded</tt> option.
Tag: library-in-debug-or-profile-should-not-be-stripped
Severity: serious
Certainty: certain
Info: Libraries in <tt>.../lib/debug</tt> or in
<tt>.../lib/profile</tt> must not be stripped; this defeats the whole
point of the separate library.
Tag: statically-linked-binary
Severity: important
Certainty: possible
Info: The package installs a statically linked binary or object file.
.
Usually this is a bug. Otherwise, please add an override if your package
is an exception. Binaries named *-static and *.static are automatically
excluded, as are any binaries in packages named *-static.
Tag: library-not-linked-against-libc
Severity: minor
Certainty: certain
Info: The package installs a library which is not dynamically linked
against libc.
Tag: program-not-linked-against-libc
Severity: minor
Certainty: certain
Info: The package installs a binary which is not dynamically linked
against libc.
Tag: binary-or-shlib-defines-rpath
Severity: serious
Certainty: possible
Ref: http://wiki.debian.org/RpathIssue
Info: The binary or shared library sets RPATH. This overrides the normal
library search path, possibly interfering with local policy and causing
problems for multilib, among other issues.
.
The only time a binary or shared library in a Debian package should set
RPATH is if it is linked to private shared libraries in the same package.
In that case, place those private shared libraries in
<tt>/usr/lib/<i>package</i></tt>. Libraries used by binaries in other
packages should be placed in <tt>/lib</tt> or <tt>/usr/lib</tt> as
appropriate, with a proper SONAME, in which case RPATH is unnecessary.
.
To fix this problem, look for link lines like:
gcc test.o -o test -Wl,--rpath,/usr/local/lib
or
gcc test.o -o test -R/usr/local/lib
and remove the <tt>-Wl,--rpath</tt> or <tt>-R</tt> argument. You can also
use the chrpath utility to remove the RPATH.
Tag: binary-has-unneeded-section
Severity: wishlist
Certainty: certain
Info: The binary or shared library is stripped, but still contains a
section that is not useful. You should call strip with
<tt>--remove-section=.comment --remove-section=.note</tt> to remove the
<tt>.note</tt> and <tt>.comment</tt> sections.
.
<tt>dh_strip</tt> will do this automatically for you, but
<tt>install -s</tt> not because it calls strip without any arguments.
Tag: missing-depends-line
Severity: normal
Certainty: certain
Info: The package contains an ELF binary with dynamic dependencies,
but does not have a Depends line in its control file. This usually
means that a call to <tt>dpkg-shlibdeps</tt> is missing from the
package's <tt>debian/rules</tt> file.
Tag: shared-lib-without-dependency-information
Severity: normal
Certainty: certain
Info: The listed shared library doesn't include information about which
other libraries the library was linked against. (When running "<tt>ldd
foo.so</tt>" ldd should report about these other libraries. In your
case, ldd just reports "statically linked".)
.
To fix this, you should explicitly specify the libraries which are
used (e.g., "-lc") when building the shared library with "ld".
.
If you have questions about this, please contact &debdev;.
Tag: arch-dependent-file-in-usr-share
Severity: serious
Certainty: certain
Ref: fhs usrsharearchitectureindependentdata
Info: This package installs an ELF binary in the <tt>/usr/share</tt>
hierarchy, which is reserved for architecture-independent files.
Tag: arch-dependent-file-not-in-arch-specific-directory
Severity: serious
Certainty: possible
Ref: https://wiki.ubuntu.com/MultiarchSpec
Info: This package is Multi-Arch "same", but it installs an ELF binary in the
directory that is not architecture-specific.
Tag: binary-in-etc
Severity: serious
Certainty: certain
Ref: fhs etchostspecificsystemconfiguration
Info: This package installs an ELF binary in <tt>/etc</tt>. The
Filesystem Hierarchy Standard forbids this.
Tag: binary-compiled-with-profiling-enabled
Severity: normal
Certainty: certain
Info: While profiling is useful for testing and debugging purposes, enabling
it causes a program to leave gmon.out files whenever a user runs it.
Tag: binary-file-compressed-with-upx
Severity: serious
Certainty: certain
Info: Debian does not allow binaries to be compressed by UPX.
Tag: package-name-doesnt-match-sonames
Severity: normal
Certainty: possible
Info: The package name of a library package should usually reflect
the soname of the included library. The package name can determined
from the library file name with the following code snippet:
.
$ objdump -p /path/to/libfoo-bar.so.1.2.3 | sed -n -e's/^[[:space:]]*SONAME[[:space:]]*//p' | sed -e's/\([0-9]\)\.so\./\1-/; s/\.so\.//'
Tag: binary-with-bad-dynamic-table
Severity: serious
Certainty: possible
Info: This appears to be an ELF file but objdump -T cannot parse it.
If it is external debugging symbols for another file, it should be
installed under /usr/lib/debug.
Tag: apparently-corrupted-elf-binary
Severity: normal
Certainty: possible
Info: This appears to be an ELF file but objdump -T doesn't recognize it
as valid. This may be a mistake or a corrupted file, you may need to
install binutils-multiarch on the system running lintian so that
non-native binaries are handled correctly, or it may be a
misidentification of a file as ELF that actually isn't.
Tag: apparently-truncated-elf-binary
Severity: normal
Certainty: possible
Info: This appears to be an ELF file, but objdump believes it is
truncated. This may be a mistake or a corrupted file, or it may be a
misidentification of a file as ELF that actually isn't.
Tag: missing-dependency-on-libc
Severity: serious
Certainty: possible
Ref: policy 8.6
Info: The listed file appears to be linked against the C library, but the
package doesn't depend on the C library package. Normally this indicates
that ${shlibs:Depends} was omitted from the Depends line for this package
in <tt>debian/control</tt>.
.
All shared libraries and compiled binaries must be run through
dpkg-shlibdeps to find out any libraries they are linked against (often
via the dh_shlibdeps debhelper command). The package containing these
files must then depend on ${shlibs:Depends} in <tt>debian/control</tt> to
get the proper package dependencies for those libraries.
Tag: missing-dependency-on-perlapi
Severity: serious
Certainty: certain
Ref: perl-policy 4.4.2
Info: This package includes a *.so file in <tt>/usr/lib/perl5</tt>,
normally indicating that it includes a binary Perl module. Binary Perl
modules must depend on perlapi-$Config{version} (from the Config module).
If the package is using debhelper, this problem is usually due to a
missing dh_perl call in <tt>debian/rules</tt> or a missing
${perl:Depends} substitution variable in the Depends line in
<tt>debian/control</tt>.
Tag: missing-dependency-on-phpapi
Severity: serious
Certainty: certain
Info: This package includes a *.so file in <tt>/usr/lib/phpN</tt>
(where N is a number representing the major PHP version), normally
indicating that it includes a PHP extension. PHP extensions must
depend on phpapi-$(php-configN --phpapi), without adding an
alternative package with the OR operator.
.
This can usually be achieved by, for example, adding the following
code to the binary-arch target of the rules file and adding
<tt>${php:Depends}</tt> to the <tt>Depends</tt> field of the binary
package shipping the extension:
.
echo "php:Depends=phpapi-$(php-config5 --phpapi)" > debian/substvars
Tag: missing-dependency-on-numpy-abi
Severity: serious
Certainty: possible
Info: This package includes a Python extension module, which uses Numpy via its
binary interface. Such packages must depend on python-numpy-abi<i>N</i>.
.
If the package is using debhelper, this problem is usually due to a
missing dh_numpy (or dh_numpy3) call in <tt>debian/rules</tt>.
Ref: /usr/share/doc/python-numpy/README.DebianMaints
Tag: debug-file-should-use-detached-symbols
Severity: normal
Certainty: certain
Ref: devref 6.7.9
Info: This file is in a location generally used for detached debugging
symbols, but it appears to contain a complete copy of the executable or
library instead of only the debugging symbols. Files in subdirectories
of <tt>/usr/lib/debug</tt> mirroring the main file system should contain
only debugging information generated by <tt>objcopy
--only-keep-debug</tt>. Binaries or shared objects built with extra
debugging should be installed directly in <tt>/usr/lib/debug</tt> or in
subdirectories corresponding to the package, not in the directories that
mirror the main file system.
.
If you are using dh_strip with the --dbg-package flag, don't also install
the library in <tt>/usr/lib/debug</tt>. dh_strip does all the work for
you.
Tag: binary-from-other-architecture
Severity: serious
Certainty: possible
Info: This ELF binary appears to have been built for an architecture other
than the one of the binary package being tested. This may occur when a
pre-built binary is shipped in the package or when an attempt to
cross-compile didn't work.
Tag: spelling-error-in-binary
Severity: minor
Certainty: wild-guess
Info: Lintian found a spelling error in the given binary. Lintian has a
list of common misspellings that it looks for. It does not have a
dictionary like a spelling checker does.
.
If the string containing the spelling error is translated with the help
of gettext or a similar tool, please fix the error in the translations as
well as the English text to avoid making the translations fuzzy. With
gettext, for example, this means you should also fix the spelling mistake
in the corresponding msgids in the *.po files.
.
You can often find the word in the source code by running:
.
grep -rw <word> <source-tree>
.
This tag may produce false positives for words that contain non-ASCII
characters due to limitations in <tt>strings</tt>.
Tag: embedded-library
Severity: serious
Certainty: possible
Ref: policy 4.13
Info: The given ELF object appears to have been statically linked to
a library. Doing this is strongly discouraged due to the extra work
needed by the security team to fix all the extra embedded copies or
trigger the package rebuilds, as appropriate.
.
If the package uses a modified version of the given library it is highly
recommended to coordinate with the library's maintainer to include the
changes on the system version of the library.
Tag: debug-symbols-directly-in-usr-lib-debug
Severity: important
Certainty: certain
Info: The given debugging symbols-only object is installed directly in
<tt>/usr/lib/debug</tt>, although it should be installed in a
subdirectory. For example, debug symbols of a binary in
<tt>/usr/bin</tt> should be placed in <tt>/usr/lib/debug/usr/bin</tt>.
gdb, when looking for debugging symbols, prepends <tt>/usr/lib/debug</tt>
to the path of the original binary.
Tag: ocaml-custom-executable
Severity: normal
Certainty: possible
Info: This package provides an OCaml bytecode executable linked with a
custom runtime. Such executables cannot be stripped and require
special care. Their usage is deprecated in favour of shared libraries
for C stubs (dll*.so).
Tag: hardening-no-stackprotector
Severity: normal
Certainty: wild-guess
Info: This package provides an ELF binary that lacks the stack protector
function <tt>__stack_chk_fail</tt>. Either there are no character arrays used
on the stack of any routines, or the package was not built with the
default Debian compiler flags defined by <tt>dpkg-buildflags</tt>. If built
using <tt>dpkg-buildflags</tt> directly, be sure to import <tt>CFLAGS</tt>
and/or <tt>CXXFLAGS</tt>.
Ref: http://wiki.debian.org/Hardening
Tag: hardening-no-fortify-functions
Severity: normal
Certainty: possible
Info: This package provides an ELF binary that lacks the use of fortified
libc functions. Either there are no potentially unfortified functions
called by any routines, all unfortified calls have already been fully
validated at compile-time, or the package was not built with the default
Debian compiler flags defined by <tt>dpkg-buildflags</tt>. If built using
<tt>dpkg-buildflags</tt> directly, be sure to import <tt>CPPFLAGS</tt>.
.
NB: Due to false-positives, Lintian ignores some unprotected functions
(e.g. memcpy).
Ref: http://wiki.debian.org/Hardening, #673112
Tag: hardening-no-relro
Severity: normal
Certainty: certain
Info: This package provides an ELF binary that lacks the "read-only
relocation" link flag. This package was likely not built with the
default Debian compiler flags defined by <tt>dpkg-buildflags</tt>.
If built using <tt>dpkg-buildflags</tt> directly, be sure to import
<tt>LDFLAGS</tt>.
Ref: http://wiki.debian.org/Hardening
|