Package: apng2gif Version: 1.4-2 Severity: important Tags: patch Dear Maintainer,
The hardening flags are missing because they are not correctly
set in debian/rules.
The following patch bumps debian/compat to 9 to automatically
enable the hardening flags; you could also enable them without
changing compat (see [2]), but compat=9 is the preferred and
simplest solution.
diff -Nru apng2gif-1.4/debian/compat apng2gif-1.4/debian/compat
--- apng2gif-1.4/debian/compat 2012-01-12 18:30:18.000000000 +0100
+++ apng2gif-1.4/debian/compat 2012-03-22 15:22:13.000000000 +0100
@@ -1 +1 @@
-8
+9
diff -Nru apng2gif-1.4/debian/rules apng2gif-1.4/debian/rules
--- apng2gif-1.4/debian/rules 2012-02-05 08:08:53.000000000 +0100
+++ apng2gif-1.4/debian/rules 2012-03-22 15:24:01.000000000 +0100
@@ -11,7 +11,7 @@
$(MAKE) -C debian -f pod2man.mk PACKAGE=$(PACKAGE) makeman
override_dh_auto_build: man
- $(CC) $(CFLAGS) $(PACKAGE).c -o $(BIN) -lz
+ $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $(PACKAGE).c -o $(BIN) -lz
override_dh_installman:
dh_installman debian/*.1
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/bin/apng2gif
/usr/bin/apng2gif:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature
