reopen 672310 thanks Dear Maintainer,
The hardening is not complete due to a typo in debian/rules and
the buildsystem ignoring some hardening flags. For more hardening
information please have a look at [1], [2] and [3].
The following _and_ the attached patch fixes the issue.
diff -Nru zlib-1.2.7.dfsg/debian/rules zlib-1.2.7.dfsg/debian/rules
--- zlib-1.2.7.dfsg/debian/rules 2012-05-19 20:52:05.000000000 +0200
+++ zlib-1.2.7.dfsg/debian/rules 2012-05-20 14:49:27.000000000 +0200
@@ -17,7 +17,7 @@
DEB_HOST_ARCH_OS ?= $(shell dpkg-architecture -qDEB_HOST_GNU_OS)
DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
-CFLAGS = `dpkg-buildflags --get CFLAGS` `dpkg-buildflags --get CPPLAGS` -Wall
-D_REENTRANT
+CFLAGS = `dpkg-buildflags --get CFLAGS` `dpkg-buildflags --get CPPFLAGS` -Wall
-D_REENTRANT
LDFLAGS = `dpkg-buildflags --get LDFLAGS`
# binutils doesn't supply the prefixed version normally like GCC does so
@@ -111,7 +111,9 @@
dh_testdir
$(MAKE)
- $(MAKE) CC=$(DEB_HOST_GNU_TYPE)-gcc OPT="$(CFLAGS)" -C contrib/minizip
+ # Don't overwrite CFLAGS, LDFLAGS so the Makefile can append its own
+ # settings.
+ CFLAGS="$(CFLAGS) $(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" $(MAKE)
CC=$(DEB_HOST_GNU_TYPE)-gcc -C contrib/minizip
-$(MAKE) test
touch $@
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [4]) (hardening-check
doesn't catch everything):
$ hardening-check /usr/lib/x86_64-linux-gnu/libz.so.1.2.7
/usr/lib/debug/usr/lib/x86_64-linux-gnu/libz.so.1.2.7
/usr/lib/debug/usr/lib/libz.so.1.2.7 /usr/lib/debug/usr/lib32/libz.so.1.2.7
/usr/bin/miniunzip ...
/usr/lib/x86_64-linux-gnu/libz.so.1.2.7:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/debug/usr/lib/x86_64-linux-gnu/libz.so.1.2.7:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: unknown, not linked against libc
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/debug/usr/lib/libz.so.1.2.7:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: unknown, not linked against libc
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/debug/usr/lib32/libz.so.1.2.7:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: unknown, not linked against libc
Read-only relocations: yes
Immediate binding: no not found!
/usr/bin/miniunzip:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
...
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
[4]: http://ruderich.org/simon/blhc/
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
Description: Use build flags from environment (dpkg-buildflags). Necessary for hardening flags. Author: Simon Ruderich <si...@ruderich.org> Last-Update: 2012-05-20 Index: zlib-1.2.7.dfsg/Makefile.in =================================================================== --- zlib-1.2.7.dfsg.orig/Makefile.in 2012-05-20 14:45:34.528517120 +0200 +++ zlib-1.2.7.dfsg/Makefile.in 2012-05-20 14:46:58.492516369 +0200 @@ -167,22 +167,22 @@ -@rmdir objs example$(EXE): example.o $(STATICLIB) - $(CC) $(CFLAGS) -o $@ example.o $(TEST_LDFLAGS) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ example.o $(TEST_LDFLAGS) minigzip$(EXE): minigzip.o $(STATICLIB) - $(CC) $(CFLAGS) -o $@ minigzip.o $(TEST_LDFLAGS) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ minigzip.o $(TEST_LDFLAGS) examplesh$(EXE): example.o $(SHAREDLIBV) - $(CC) $(CFLAGS) -o $@ example.o -L. $(SHAREDLIBV) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ example.o -L. $(SHAREDLIBV) minigzipsh$(EXE): minigzip.o $(SHAREDLIBV) - $(CC) $(CFLAGS) -o $@ minigzip.o -L. $(SHAREDLIBV) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ minigzip.o -L. $(SHAREDLIBV) example64$(EXE): example64.o $(STATICLIB) - $(CC) $(CFLAGS) -o $@ example64.o $(TEST_LDFLAGS) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ example64.o $(TEST_LDFLAGS) minigzip64$(EXE): minigzip64.o $(STATICLIB) - $(CC) $(CFLAGS) -o $@ minigzip64.o $(TEST_LDFLAGS) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ minigzip64.o $(TEST_LDFLAGS) install-libs: $(LIBS) -@if [ ! -d $(DESTDIR)$(exec_prefix) ]; then mkdir -p $(DESTDIR)$(exec_prefix); fi Index: zlib-1.2.7.dfsg/contrib/minizip/Makefile =================================================================== --- zlib-1.2.7.dfsg.orig/contrib/minizip/Makefile 2012-05-20 14:45:34.472517122 +0200 +++ zlib-1.2.7.dfsg/contrib/minizip/Makefile 2012-05-20 14:46:58.492516369 +0200 @@ -1,5 +1,5 @@ CC=cc -CFLAGS=-O -I../.. +CFLAGS+=-O -I../.. UNZ_OBJS = miniunz.o unzip.o ioapi.o ../../libz.a ZIP_OBJS = minizip.o zip.o ioapi.o ../../libz.a @@ -10,10 +10,10 @@ all: miniunz minizip miniunz: $(UNZ_OBJS) - $(CC) $(CFLAGS) -o $@ $(UNZ_OBJS) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(UNZ_OBJS) minizip: $(ZIP_OBJS) - $(CC) $(CFLAGS) -o $@ $(ZIP_OBJS) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(ZIP_OBJS) test: miniunz minizip ./minizip test readme.txt
signature.asc
Description: Digital signature
