Bug#656128: Please enabled hardened build flags

Mon, 30 Apr 2012 12:42:35 -0700 

reopen 656128
thanks

Dear Maintainer,

Sorry to bother you again, but the update to compat=9 disabled
the custom CFLAGS, including CPPFLAGS. And `...` in CFLAGS breaks
the build.

The following patch fixes the issue:

diff -Nru slang2-2.2.4/debian/rules slang2-2.2.4/debian/rules
--- slang2-2.2.4/debian/rules   2012-04-29 04:40:04.000000000 +0200
+++ slang2-2.2.4/debian/rules   2012-04-30 20:56:18.000000000 +0200
@@ -3,7 +3,7 @@
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
 
-DEB_CFLAGS_MAINT_APPEND= -fno-strength-reduce -D_REENTRANT -D_XOPEN_SOURCE=500 
`dpkg-buildflags --get CPPFLAGS`
+export DEB_CFLAGS_MAINT_APPEND = -fno-strength-reduce -D_REENTRANT 
-D_XOPEN_SOURCE=500 $(shell dpkg-buildflags --get CPPFLAGS)
 
 # Magic debhelper rule
 %:

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [1]) (hardening-check
doesn't catch everything):

    $ hardening-check /usr/bin/slsh /lib/x86_64-linux-gnu/libslang.so.2.2.4 
/usr/lib/x86_64-linux-gnu/slang/v2/modules/zlib-module.so ...
    /usr/bin/slsh:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /lib/x86_64-linux-gnu/libslang.so.2.2.4:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/lib/x86_64-linux-gnu/slang/v2/modules/zlib-module.so:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: no, not found!
     Fortify Source functions: unknown, no protectable libc functions used
     Read-only relocations: yes
     Immediate binding: no not found!
    ...

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: http://ruderich.org/simon/blhc/
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Attachment: signature.asc
Description: Digital signature

Reply via email to