Package: browser-history Version: 2.8-14 Severity: important Tags: patch Dear Maintainer,
The CPPFLAGS hardening flags are missing because the build system
ignores them.
The following patch fixes the issue by adding them to CFLAGS. For
more hardening information please have a look at [1], [2] and
[3].
diff -Nru browser-history-2.8/debian/rules browser-history-2.8/debian/rules
--- browser-history-2.8/debian/rules 2012-04-02 13:30:27.000000000 +0200
+++ browser-history-2.8/debian/rules 2012-04-07 16:53:36.000000000 +0200
@@ -10,7 +10,7 @@
else
CROSS := CC=$(DEB_HOST_GNU_TYPE)-gcc
endif
-FLAGS := CFLAGS='$(shell dpkg-buildflags --get CFLAGS) -Wall' \
+FLAGS := CFLAGS='$(shell dpkg-buildflags --get CFLAGS) $(shell dpkg-buildflags
--get CPPFLAGS) -Wall' \
LDFLAGS='$(shell dpkg-buildflags --get LDFLAGS)'
override_dh_auto_build:
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/bin/browser-history
/usr/bin/browser-history:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature
