Questions tagged [fortify-source]
FORTIFY_SOURCE is an originally GCC and GLIBC security feature that attempts to detect certain classes of buffer overflows. It's enabled by default on most Linux platforms and available for some other platforms.
fortify-source
56
questions
0
votes
0
answers
5
views
How to add application versions from one group which is in ldap entities to another group in ldap entities in fortify ssc
enter image description here
above is the image where the application versions i need to assign to another group in ldap entities, there are about more than 5000 application version access in the ...
-1
votes
1
answer
64
views
how to debug "*** buffer overflow detected ***: program_name terminated" along with _FORTIFY_SOURCE=2
My program crashes with the message "*** buffer overflow detected ***: program_name terminated", and I suspect it may be related to the compiler option "_FORTIFY_SOURCE=2" that I ...
0
votes
0
answers
36
views
why does -D_FORTIFY_SOURCE=2 have no effect on functions called by C++ stdlib functions
At work, some of the binaries are required to be compiled with -D_FORTIFY_SOURCE=2. While verifying the compiled binary with checksec or hardening-check, I found that not all fortifiable functions ...
0
votes
0
answers
153
views
Why am I not getting compiler warnings for buffer overflow with -D_FORTIFY_SOURCE=2 in gcc 10.2.0?
Is there any change wrt to FORTIFY_SOURCE in gcc 10.2.0. I am not getting compiler warnings for buffer overflow during build but buffer overflow is detected during runtime and the program terminates.
...
10
votes
1
answer
207
views
call to ‘__wmemcpy_chk_warn’: "wmemcpy called with length bigger than size of destination buffer"
I have this snippet of code (lets name it problem.cpp):
#include <string>
using str = std::wstring;
static str foo(str text = str())
{
text.resize(4);
return text;
}
int main()
{
...
1
vote
0
answers
290
views
What is the difference between gcc option -D_FORTIFY_SOURCE and kernel configuration CONFIG_FORTIFY_SOURCE
I want to confirm the difference between gcc option -D_FORTIFY_SOURCE and kernel configuration CONFIG_FORTIFY_SOURCE. As far as I could understand, gcc option -D_FORTIFY_SOURCE is for compile time ...
0
votes
1
answer
576
views
D_FORTIFY_SOURCE=1 flag usage not gets effect
As per the document https://www.redhat.com/en/blog/enhance-application-security-fortifysource, I see that D_FORTIFY_SOURCE provides buffer overflow checks for the following functions: memcpy, mempcpy, ...
1
vote
0
answers
545
views
Fortify : XSLT Injection attacks fix
Fortify scan results show me a xslt injection attack warning on the below code
public Saxon.Api.XsltTransformer transformer = null;
using (System.IO.StreamReader reader = new StreamReader("C:...
3
votes
1
answer
2k
views
why does -D_FORTIFY_SOURCE=2 has no effect in my compilation?
I have been adding some "compilation flags" to activate security measures in my binary. And then I check that the measures are implemented using the checksec tool. I have been able to ...
1
vote
1
answer
2k
views
GCC isn't enabling D_FORTIFY_SOURCE, even with optimisation flag set (-O2)
I've recently read about D_FORTIFY_SOURCE and the changes it makes to vulnerable functions. I wished to mess around with it, and as such made a small test binary.
The test binaries source code is:
#...
0
votes
1
answer
967
views
gcc FORTIFY_SOURCE drastically increases binary size
We have a very large C++ codebase that we would like to compile using gcc with the "FORTIFY_SOURCE=2" option to improve security and reduce the risk of buffer overflows. The problem is when we compile ...
3
votes
0
answers
2k
views
How to solve Fortify 19.1 low memory error?
I'm using fortify to scan python and php code base. The sourceanalyzer complains about insufficient memory. I have 8 GB now. I'm planning to upgrade to 16 GB.
My question is should I use the option -...
0
votes
1
answer
988
views
Fortify Audit Workbench add a comment under Issue summary using command line
Fortify seems to have some good command line support to scan and generate a report. Although the utilities do not seem to include an option to add a comment under Issue summary for a particular issue ...
0
votes
1
answer
293
views
How does filterset particular rule in fortify SCA?
I want to move one rule to false positive using filterset or any other way. I don't want to move whole rule like following case. "Password Management: Hardcoded Password" one rule is there I want to ...
1
vote
2
answers
438
views
strncpy is replaced by __strncpy_chk and fails
I have a statement
strncpy(&data->m_bin->data,versionStr,data->m_bin->sizeData);
in my application which itself is fine and works well. Here data->m_bin->data is a char where the ...