Bug#665192: bmf: CPPFLAGS hardening flags missing

Thu, 22 Mar 2012 07:54:20 -0700 

Package: bmf
Version: 0.9.4-6
Severity: important
Tags: patch

Dear Maintainer,

The CPPFLAGS hardening flags are missing because the build system
ignores them.

DEB_*_MAINT_APPEND is the preferred way to set additional flags
(see man dpkg-buildflags for more information). For more
hardening information please have a look at [1], [2] and [3].

The following patch fixes the issue and also uses
DEB_*_MAINT_APPEND to set additional flags (buildflags.mk is not
necessary with compat=9).

diff -Nru bmf-0.9.4/debian/rules bmf-0.9.4/debian/rules
--- bmf-0.9.4/debian/rules      2012-02-16 06:19:17.000000000 +0100
+++ bmf-0.9.4/debian/rules      2012-03-22 15:45:17.000000000 +0100
@@ -2,16 +2,14 @@
 
 PACKAGE = bmf
 
-include /usr/share/dpkg/buildflags.mk
-CFLAGS += -Wall -pedantic
-CFLAGS += -DNDEBUG -D_UNIX -D_LINUX -Wall -DHAVE_LIBDB
-LDFLAGS += -Wl,--as-needed
+DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic -DNDEBUG -D_UNIX -D_LINUX -Wall 
-DHAVE_LIBDB
+DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed
 
 override_dh_auto_configure:
        ./configure --with-package=libdb
 
 override_dh_auto_build:
-       $(MAKE) LDFLAGS="$(LDFLAGS)" CFLAGS="$(CFLAGS)" SYSLIBS=-ldb
+       $(MAKE) CFLAGS="$(CFLAGS) $(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" SYSLIBS=-ldb
 
 %:
        dh $@

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):

    $ hardening-check /usr/bin/bmfconv /usr/bin/bmf
    /usr/bin/bmfconv:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/bin/bmf:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Attachment: signature.asc
Description: Digital signature

Reply via email to