On Sun, May 20, 2012 at 04:05:44PM +0100, Mark Brown wrote: >> Description: Use build flags from environment (dpkg-buildflags). >> Necessary for hardening flags. >> >> example$(EXE): example.o $(STATICLIB) >> - $(CC) $(CFLAGS) -o $@ example.o $(TEST_LDFLAGS) >> + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ example.o $(TEST_LDFLAGS) > > Why on earth are you patching Makefile.in for this? There's already a > perfectly good way of configuring all this stuff provided upstream which > you're just ignoring here for no reason.
Hello Mark,
I just checked zlib 1:1.2.7.dfgs-4 and the hardening flags are
still missing.
The first problem is that you missed a part of my patch for
debian/rules, the flags for minizip must be passed to the
Makefile:
diff -Nru zlib-1.2.7.dfsg/debian/rules zlib-1.2.7.dfsg/debian/rules
--- zlib-1.2.7.dfsg/debian/rules 2012-05-20 17:38:58.000000000 +0200
+++ zlib-1.2.7.dfsg/debian/rules 2012-05-21 01:55:15.000000000 +0200
@@ -111,7 +111,7 @@
dh_testdir
$(MAKE)
- $(MAKE) CC=$(DEB_HOST_GNU_TYPE)-gcc OPT="$(CFLAGS)" -C contrib/minizip
+ CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" $(MAKE)
CC=$(DEB_HOST_GNU_TYPE)-gcc -C contrib/minizip
-$(MAKE) test
touch $@
The second problem is that TEST_LDFLAGS is not used when
configuring (./configure lines 765-793) and therefore not passed
to the Makefile when building. Additionally TEST_LDFLAGS is
missing in two compiler commands.
I think just patching in LDFLAGS is simpler than fixing configure
and adding TEST_LDFLAGS in a few places.
To check if all hardening flags were correctly applied you can
use hardening-check (hardening-includes package) and blhc [1]
which checks the build log for missing hardening flags.
Regards,
Simon
[1]: http://ruderich.org/simon/blhc
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
pgpWNqp4u8Eyi.pgp
Description: PGP signature
