Package: pyside Version: 1.1.0-1 Severity: important Tags: patch Dear Maintainer,
The CPPFLAGS hardening flags are missing because CMake ignores
them by default.
The following patch fixes the issue by adding them to
CFLAGS/CXXFLAGS. For more hardening information please have a
look at [1], [2] and [3].
diff -Nru pyside-1.1.0/debian/rules pyside-1.1.0/debian/rules
--- pyside-1.1.0/debian/rules 2012-01-04 10:48:07.000000000 +0100
+++ pyside-1.1.0/debian/rules 2012-03-29 20:48:50.000000000 +0200
@@ -1,5 +1,13 @@
#!/usr/bin/make -f
+# Enable verbose build to detect missing (hardening) flags.
+export VERBOSE=1
+
+# CMake doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to enable the
+# missing (hardening) flags.
+export DEB_CFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS)
+export DEB_CXXFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS)
+
%:
dh $@ --with python2 --with python3 --buildsystem=cmake --parallel
It also enables verbose builds to make it easy to (automatically)
spot missing hardening flags.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything).
However at the moment fortification (which is set by CPPFLAGS) is
not yet used because there are no protectable functions. Still
passing CPPFLAGS is important to automatically protect new
functions in the future.
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature
