Bug#658965: Please enable hardened build flags

Sun, 08 Apr 2012 16:33:17 -0700 

reopen 658965
thanks

Dear Maintainer,

The LDFLAGS hardening flags are missing because they are not set
in debian/rules.

The following patch fixes the issue.

diff -u libdumb-0.9.3/debian/rules libdumb-0.9.3/debian/rules
--- libdumb-0.9.3/debian/rules
+++ libdumb-0.9.3/debian/rules
@@ -4,6 +4,9 @@
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
 
+CFLAGS  := $(shell dpkg-buildflags --get CFLAGS)
+LDFLAGS := $(shell dpkg-buildflags --get LDFLAGS)
+
 # Compilation options
 export CONFIG_FLAGS="--prefix=/usr"
 
@@ -36,9 +39,9 @@
        $(MAKE) lib/unix/libdumb.a CFLAGS_EXTRA=-fPIC
        $(MAKE) lib/unix/libaldmb.a CFLAGS_EXTRA=-fPIC
 
-       $(CC) -Wl,-soname,libdumb.so.1 -shared `sed -ne '/^CORE_MODULES 
:=/,/c$$/p' < Makefile | sed -e 's,\\\\,,' -e 
's,.*/\\(.*\\)\\.c,obj/unix/release/\\1.o,' | tail -n +2` -o 
debian/libdumb1/usr/lib/libdumb.so.1.0.0 -lm -lc
+       $(CC) $(CFLAGS) $(LDFLAGS) -Wl,-soname,libdumb.so.1 -shared `sed -ne 
'/^CORE_MODULES :=/,/c$$/p' < Makefile | sed -e 's,\\\\,,' -e 
's,.*/\\(.*\\)\\.c,obj/unix/release/\\1.o,' | tail -n +2` -o 
debian/libdumb1/usr/lib/libdumb.so.1.0.0 -lm -lc
        ln -s libdumb.so.1.0.0 debian/libdumb1/usr/lib/libdumb.so
-       $(CC) -Wl,-soname,libaldmb.so.1 -shared `sed -ne '/^ALLEGRO_MODULES 
:=/,/c$$/p' < Makefile | sed -e 's,\\\\,,' -e 
's,.*/\\(.*\\)\\.c,obj/unix/release/\\1.o,' | tail -n +2` -o 
debian/libaldmb1/usr/lib/libaldmb.so.1.0.0 -Ldebian/libdumb1/usr/lib/ -ldumb 
`allegro-config --libs` -lm -lc
+       $(CC) $(CFLAGS) $(LDFLAGS) -Wl,-soname,libaldmb.so.1 -shared `sed -ne 
'/^ALLEGRO_MODULES :=/,/c$$/p' < Makefile | sed -e 's,\\\\,,' -e 
's,.*/\\(.*\\)\\.c,obj/unix/release/\\1.o,' | tail -n +2` -o 
debian/libaldmb1/usr/lib/libaldmb.so.1.0.0 -Ldebian/libdumb1/usr/lib/ -ldumb 
`allegro-config --libs` -lm -lc
        rm -f debian/libdumb1/usr/lib/libdumb.so
 
        touch build-stamp

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):

    $ hardening-check /usr/lib/libdumb.so.1.0.0 /usr/lib/libaldmb.so.1.0.0
    /usr/lib/libdumb.so.1.0.0:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/lib/libaldmb.so.1.0.0:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: no, not found!
     Fortify Source functions: unknown, no protectable libc functions used
     Read-only relocations: yes
     Immediate binding: no not found!

Regards,
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Attachment: signature.asc
Description: Digital signature

Reply via email to