reopen 653531 thanks Dear Maintainer,
The hardening flags were not enabled completely because the build
system ignores them in a few places. For more hardening
information please have a look at [1], [2] and [3].
The attached patch fixes the issue, if possible it should be sent
to upstream.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [4]) (hardening-check
doesn't catch everything):
$ hardening-check /usr/bin/ekglogs /usr/bin/ekg-ncurses /usr/lib/ekg/ioctld
/usr/bin/ekg-gtk
/usr/bin/ekglogs:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/bin/ekg-ncurses:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/ekg/ioctld:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: no not found!
/usr/bin/ekg-gtk:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
[4]: http://ruderich.org/simon/blhc/
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
Description: Use build flags from environment (dpkg-buildflags). Necessary for hardening flags. Author: Simon Ruderich <si...@ruderich.org> Last-Update: 2012-04-17 --- ekg-1.8~rc2+r2850.orig/src/Makefile.in +++ ekg-1.8~rc2+r2850/src/Makefile.in @@ -33,11 +33,11 @@ SRCS = $(patsubst %.o,$(srcdir)/%.c,$(OB all: dep ekg @ioctld@ ekg: $(OBJS) $(srcdir)/comptime.c - $(CC) $(CFLAGS) -c -o comptime.o $(srcdir)/comptime.c + $(CC) $(CPPFLAGS) $(CFLAGS) -c -o comptime.o $(srcdir)/comptime.c $(CC) $(CFLAGS) -o ekg $(OBJS) comptime.o $(LDFLAGS) $(LIBS) ioctld: $(srcdir)/ioctld.c - $(CC) $(CFLAGS) $< -o $@ $(LIBS) @IOCTLD_OBJS@ + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) $< -o $@ $(LIBS) @IOCTLD_OBJS@ dep: .depend --- ekg-1.8~rc2+r2850.orig/contrib/ekg_logs/Makefile +++ ekg-1.8~rc2+r2850/contrib/ekg_logs/Makefile @@ -1,7 +1,7 @@ all: parse parse: parse.c - gcc $(CFLAGS) -o parse parse.c `pkg-config --cflags --libs glib-2.0` # -ggdb + gcc $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -o parse parse.c `pkg-config --cflags --libs glib-2.0` # -ggdb clean: rm -f parse
signature.asc
Description: Digital signature
