Package: cdbs Version: 0.4.109 Severity: important Tags: patch Hello,
The cmake buildsystem ignores CPPFLAGS and upstream rejected a patch to include them in CFLAGS (#653916). This prevents automatic hardening with -D_FORTIFY_SOURCE=2 for all CMake packages (see [1] for more information about hardening). Modifying all CMake packages just to append CPPFLAGS to CFLAGS creates unnecessary boilerplate and requires modifying all CMake packages - something maintainers are reluctant to do (#667941). If possible cdbs should be updated as soon as possible to help with the hardening release goal for wheezy. The attached patch updates cmake.mk to append CPPFLAGS to CFLAGS. It seems to work fine, but I don't have much experience with cdbs's buildsystem - please modify the patch if there's a better way to handle that. Regards, Simon [1]: https://wiki.debian.org/Hardening -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
diff -Nru cdbs-0.4.109/1/class/cmake.mk.in cdbs-0.4.109.1~hardening1/1/class/cmake.mk.in --- cdbs-0.4.109/1/class/cmake.mk.in 2010-05-22 22:52:01.000000000 +0200 +++ cdbs-0.4.109.1~hardening1/1/class/cmake.mk.in 2012-04-14 18:29:41.000000000 +0200 @@ -42,7 +42,7 @@ CMAKE ?= cmake DEB_CMAKE_INSTALL_PREFIX ?= /usr -DEB_CMAKE_NORMAL_ARGS ?= -DCMAKE_INSTALL_PREFIX="$(DEB_CMAKE_INSTALL_PREFIX)" -DCMAKE_C_COMPILER:FILEPATH="$(CC)" -DCMAKE_CXX_COMPILER:FILEPATH="$(CXX)" -DCMAKE_C_FLAGS="$(CFLAGS)" -DCMAKE_CXX_FLAGS="$(CXXFLAGS)" -DCMAKE_SKIP_RPATH=ON -DCMAKE_VERBOSE_MAKEFILE=ON +DEB_CMAKE_NORMAL_ARGS ?= -DCMAKE_INSTALL_PREFIX="$(DEB_CMAKE_INSTALL_PREFIX)" -DCMAKE_C_COMPILER:FILEPATH="$(CC)" -DCMAKE_CXX_COMPILER:FILEPATH="$(CXX)" -DCMAKE_C_FLAGS="$(CFLAGS) $(CPPFLAGS)" -DCMAKE_CXX_FLAGS="$(CXXFLAGS) $(CPPFLAGS)" -DCMAKE_SKIP_RPATH=ON -DCMAKE_VERBOSE_MAKEFILE=ON common-configure-arch common-configure-indep:: common-configure-impl common-configure-impl:: $(DEB_BUILDDIR)/CMakeCache.txt
signature.asc
Description: Digital signature
