Missing Fortified Functions vulnerability report

[jkavanaghdeluxe]

We have received a report of potential vulnerabilities in the BreachDetector solution as listed below:

Risk Value - M3
Issue Description - Missing Fortified Functions
Details - This finding is for Android. The shared object does not have any fortified functions. Fortified functions provide buffer overflow checks against glibc's commons insecure functions like strcpy, gets etc. The affected libraries are:
armeabi-v7a/libtool-checker.so
armeabi-v7a/libanti.so
arm64-v8a/libtool-checker.so
arm64-v8a/libanti.so
Recommendation - Use the compiler option -D_FORTIFY_SOURCE=2 to fortify functions

[jkavanaghdeluxe]

@nmilcoff is this project being maintained? If so, are fortified functions already being used or is that work planned?

[nmilcoff]

Hi @jkavanaghdeluxe , unfortunately I have moved on to a different stack (outside of dotnet) so this project is unfortunately unmaintained at this point

[jkavanaghdeluxe]

@nmilcoff Thanks for the response.