/usr/share/lintian/checks/binaries.desc

Check-Script: binaries
Author: Christian Schwarz <schwarz@debian.org>
Abbrev: bin
Type: binary, udeb
Needs-Info: hardening-info, objdump-info, file-info, strings, index
Info: This script checks binaries and object files for bugs.

Tag: arch-independent-package-contains-binary-or-object
Severity: serious
Certainty: possible
Info: The package contains a binary or object file but is tagged
 Architecture: all.
 .
 If this package contains binaries or objects for cross-compiling or
 binary blobs for other purposes independent of the host architecture
 (such as BIOS updates or firmware), please add a Lintian override.

Tag: unstripped-binary-or-object
Severity: important
Certainty: certain
Ref: policy 10.1, policy 10.2
Info: The package installs an unstripped binary or object file.
 .
 Please note, that shared libraries have to be stripped with the
 <tt>--strip-unneeded</tt> option.

Tag: library-in-debug-or-profile-should-not-be-stripped
Severity: serious
Certainty: certain
Info: Libraries in <tt>.../lib/debug</tt> or in
 <tt>.../lib/profile</tt> must not be stripped; this defeats the whole
 point of the separate library.

Tag: statically-linked-binary
Severity: important
Certainty: possible
Info: The package installs a statically linked binary or object file.
 .
 Usually this is a bug.  Otherwise, please add an override if your package
 is an exception.  Binaries named *-static and *.static are automatically
 excluded, as are any binaries in packages named *-static.

Tag: library-not-linked-against-libc
Severity: minor
Certainty: certain
Info: The package installs a library which is not dynamically linked
 against libc.

Tag: program-not-linked-against-libc
Severity: minor
Certainty: certain
Info: The package installs a binary which is not dynamically linked
 against libc.

Tag: binary-or-shlib-defines-rpath
Severity: serious
Certainty: possible
Ref: http://wiki.debian.org/RpathIssue
Info: The binary or shared library sets RPATH.  This overrides the normal
 library search path, possibly interfering with local policy and causing
 problems for multilib, among other issues.
 .
 The only time a binary or shared library in a Debian package should set
 RPATH is if it is linked to private shared libraries in the same package.
 In that case, place those private shared libraries in
 <tt>/usr/lib/<i>package</i></tt>.  Libraries used by binaries in other
 packages should be placed in <tt>/lib</tt> or <tt>/usr/lib</tt> as
 appropriate, with a proper SONAME, in which case RPATH is unnecessary.
 .
 To fix this problem, look for link lines like:
     gcc test.o -o test -Wl,--rpath,/usr/local/lib
 or
     gcc test.o -o test -R/usr/local/lib
 and remove the <tt>-Wl,--rpath</tt> or <tt>-R</tt> argument.  You can also
 use the chrpath utility to remove the RPATH.

Tag: binary-has-unneeded-section
Severity: wishlist
Certainty: certain
Info: The binary or shared library is stripped, but still contains a
 section that is not useful.  You should call strip with
 <tt>--remove-section=.comment --remove-section=.note</tt> to remove the
 <tt>.note</tt> and <tt>.comment</tt> sections.
 .
 <tt>dh_strip</tt> will do this automatically for you, but
 <tt>install -s</tt> not because it calls strip without any arguments.

Tag: missing-depends-line
Severity: normal
Certainty: certain
Info: The package contains an ELF binary with dynamic dependencies,
 but does not have a Depends line in its control file.  This usually
 means that a call to <tt>dpkg-shlibdeps</tt> is missing from the
 package's <tt>debian/rules</tt> file.

Tag: shared-lib-without-dependency-information
Severity: normal
Certainty: certain
Info: The listed shared library doesn't include information about which
 other libraries the library was linked against. (When running "<tt>ldd
 foo.so</tt>" ldd should report about these other libraries. In your
 case, ldd just reports "statically linked".)
 .
 To fix this, you should explicitly specify the libraries which are
 used (e.g., "-lc") when building the shared library with "ld".
 .
 If you have questions about this, please contact &debdev;.

Tag: arch-dependent-file-in-usr-share
Severity: serious
Certainty: certain
Ref: fhs usrsharearchitectureindependentdata
Info: This package installs an ELF binary in the <tt>/usr/share</tt>
 hierarchy, which is reserved for architecture-independent files.

Tag: arch-dependent-file-not-in-arch-specific-directory
Severity: serious
Certainty: possible
Ref: https://wiki.ubuntu.com/MultiarchSpec
Info: This package is Multi-Arch "same", but it installs an ELF binary in the
 directory that is not architecture-specific.

Tag: binary-in-etc
Severity: serious
Certainty: certain
Ref: fhs etchostspecificsystemconfiguration
Info: This package installs an ELF binary in <tt>/etc</tt>.  The
 Filesystem Hierarchy Standard forbids this.

Tag: binary-compiled-with-profiling-enabled
Severity: normal
Certainty: certain
Info: While profiling is useful for testing and debugging purposes, enabling
 it causes a program to leave gmon.out files whenever a user runs it.

Tag: binary-file-compressed-with-upx
Severity: serious
Certainty: certain
Info: Debian does not allow binaries to be compressed by UPX.

Tag: package-name-doesnt-match-sonames
Severity: normal
Certainty: possible
Info: The package name of a library package should usually reflect
 the soname of the included library. The package name can determined
 from the library file name with the following code snippet:
 .
  $ objdump -p /path/to/libfoo-bar.so.1.2.3 | sed -n -e's/^[[:space:]]*SONAME[[:space:]]*//p' | sed -e's/\([0-9]\)\.so\./\1-/; s/\.so\.//'

Tag: binary-with-bad-dynamic-table
Severity: serious
Certainty: possible
Info: This appears to be an ELF file but objdump -T cannot parse it.
 If it is external debugging symbols for another file, it should be
 installed under /usr/lib/debug.

Tag: apparently-corrupted-elf-binary
Severity: normal
Certainty: possible
Info: This appears to be an ELF file but objdump -T doesn't recognize it
 as valid.  This may be a mistake or a corrupted file, you may need to
 install binutils-multiarch on the system running lintian so that
 non-native binaries are handled correctly, or it may be a
 misidentification of a file as ELF that actually isn't.

Tag: apparently-truncated-elf-binary
Severity: normal
Certainty: possible
Info: This appears to be an ELF file, but objdump believes it is
 truncated.  This may be a mistake or a corrupted file, or it may be a
 misidentification of a file as ELF that actually isn't.

Tag: missing-dependency-on-libc
Severity: serious
Certainty: possible
Ref: policy 8.6
Info: The listed file appears to be linked against the C library, but the
 package doesn't depend on the C library package.  Normally this indicates
 that ${shlibs:Depends} was omitted from the Depends line for this package
 in <tt>debian/control</tt>.
 .
 All shared libraries and compiled binaries must be run through
 dpkg-shlibdeps to find out any libraries they are linked against (often
 via the dh_shlibdeps debhelper command).  The package containing these
 files must then depend on ${shlibs:Depends} in <tt>debian/control</tt> to
 get the proper package dependencies for those libraries.

Tag: missing-dependency-on-perlapi
Severity: serious
Certainty: certain
Ref: perl-policy 4.4.2
Info: This package includes a *.so file in <tt>/usr/lib/perl5</tt>,
 normally indicating that it includes a binary Perl module.  Binary Perl
 modules must depend on perlapi-$Config{version} (from the Config module).
 If the package is using debhelper, this problem is usually due to a
 missing dh_perl call in <tt>debian/rules</tt> or a missing
 ${perl:Depends} substitution variable in the Depends line in
 <tt>debian/control</tt>.

Tag: missing-dependency-on-phpapi
Severity: serious
Certainty: certain
Info: This package includes a *.so file in <tt>/usr/lib/phpN</tt>
 (where N is a number representing the major PHP version), normally
 indicating that it includes a PHP extension.  PHP extensions must
 depend on phpapi-$(php-configN --phpapi), without adding an
 alternative package with the OR operator.
 .
 This can usually be achieved by, for example, adding the following
 code to the binary-arch target of the rules file and adding
 <tt>${php:Depends}</tt> to the <tt>Depends</tt> field of the binary
 package shipping the extension:
 .
 echo "php:Depends=phpapi-$(php-config5 --phpapi)" &gt; debian/substvars

Tag: missing-dependency-on-numpy-abi
Severity: serious
Certainty: possible
Info: This package includes a Python extension module, which uses Numpy via its
 binary interface. Such packages must depend on python-numpy-abi<i>N</i>.
 .
 If the package is using debhelper, this problem is usually due to a
 missing dh_numpy (or dh_numpy3) call in <tt>debian/rules</tt>.
Ref: /usr/share/doc/python-numpy/README.DebianMaints

Tag: debug-file-should-use-detached-symbols
Severity: normal
Certainty: certain
Ref: devref 6.7.9
Info: This file is in a location generally used for detached debugging
 symbols, but it appears to contain a complete copy of the executable or
 library instead of only the debugging symbols.  Files in subdirectories
 of <tt>/usr/lib/debug</tt> mirroring the main file system should contain
 only debugging information generated by <tt>objcopy
 --only-keep-debug</tt>.  Binaries or shared objects built with extra
 debugging should be installed directly in <tt>/usr/lib/debug</tt> or in
 subdirectories corresponding to the package, not in the directories that
 mirror the main file system.
 .
 If you are using dh_strip with the --dbg-package flag, don't also install
 the library in <tt>/usr/lib/debug</tt>.  dh_strip does all the work for
 you.

Tag: binary-from-other-architecture
Severity: serious
Certainty: possible
Info: This ELF binary appears to have been built for an architecture other
 than the one of the binary package being tested.  This may occur when a
 pre-built binary is shipped in the package or when an attempt to
 cross-compile didn't work.

Tag: spelling-error-in-binary
Severity: minor
Certainty: wild-guess
Info: Lintian found a spelling error in the given binary.  Lintian has a
 list of common misspellings that it looks for.  It does not have a
 dictionary like a spelling checker does.
 .
 If the string containing the spelling error is translated with the help
 of gettext or a similar tool, please fix the error in the translations as
 well as the English text to avoid making the translations fuzzy.  With
 gettext, for example, this means you should also fix the spelling mistake
 in the corresponding msgids in the *.po files.
 .
 You can often find the word in the source code by running:
 .
  grep -rw &lt;word&gt; &lt;source-tree&gt;
 .
 This tag may produce false positives for words that contain non-ASCII
 characters due to limitations in <tt>strings</tt>.

Tag: embedded-library
Severity: serious
Certainty: possible
Ref: policy 4.13
Info: The given ELF object appears to have been statically linked to
 a library.  Doing this is strongly discouraged due to the extra work
 needed by the security team to fix all the extra embedded copies or
 trigger the package rebuilds, as appropriate.
 .
 If the package uses a modified version of the given library it is highly
 recommended to coordinate with the library's maintainer to include the
 changes on the system version of the library.

Tag: debug-symbols-directly-in-usr-lib-debug
Severity: important
Certainty: certain
Info: The given debugging symbols-only object is installed directly in
 <tt>/usr/lib/debug</tt>, although it should be installed in a
 subdirectory.  For example, debug symbols of a binary in
 <tt>/usr/bin</tt> should be placed in <tt>/usr/lib/debug/usr/bin</tt>.
 gdb, when looking for debugging symbols, prepends <tt>/usr/lib/debug</tt>
 to the path of the original binary.

Tag: ocaml-custom-executable
Severity: normal
Certainty: possible
Info: This package provides an OCaml bytecode executable linked with a
 custom runtime. Such executables cannot be stripped and require
 special care. Their usage is deprecated in favour of shared libraries
 for C stubs (dll*.so).

Tag: hardening-no-stackprotector
Severity: normal
Certainty: wild-guess
Info: This package provides an ELF binary that lacks the stack protector
 function <tt>__stack_chk_fail</tt>. Either there are no character arrays used
 on the stack of any routines, or the package was not built with the
 default Debian compiler flags defined by <tt>dpkg-buildflags</tt>. If built
 using <tt>dpkg-buildflags</tt> directly, be sure to import <tt>CFLAGS</tt>
 and/or <tt>CXXFLAGS</tt>.
Ref: http://wiki.debian.org/Hardening

Tag: hardening-no-fortify-functions
Severity: normal
Certainty: possible
Info: This package provides an ELF binary that lacks the use of fortified
 libc functions. Either there are no potentially unfortified functions
 called by any routines, all unfortified calls have already been fully
 validated at compile-time, or the package was not built with the default
 Debian compiler flags defined by <tt>dpkg-buildflags</tt>. If built using
 <tt>dpkg-buildflags</tt> directly, be sure to import <tt>CPPFLAGS</tt>.
 .
 NB: Due to false-positives, Lintian ignores some unprotected functions
 (e.g. memcpy).
Ref: http://wiki.debian.org/Hardening, #673112

Tag: hardening-no-relro
Severity: normal
Certainty: certain
Info: This package provides an ELF binary that lacks the "read-only
 relocation" link flag. This package was likely not built with the
 default Debian compiler flags defined by <tt>dpkg-buildflags</tt>.
 If built using <tt>dpkg-buildflags</tt> directly, be sure to import
 <tt>LDFLAGS</tt>.
Ref: http://wiki.debian.org/Hardening
lintian 2.5.10.4 / usr / share / lintian / checks / binaries.desc
