Bug#674721: loqui: CPPFLAGS hardening flags missing

[Simon Ruderich]

Package: loqui
Version: 0.5.3-1
Severity: normal
Tags: patch

Dear Maintainer,

The CPPFLAGS hardening flags are missing because they are ignored
by the build system. For more hardening information please have a
look at [1], [2] and [3].

The attached patch "fixes" the issue, but it's only a dirty
workaround. The upstream build system should be fixed to not
overwrite CPPFLAGS at all (CPPFLAGS are only for preprocessor
flags anyway), autoconf/automake provide ways to handle that.

To check if all flags were correctly enabled you can normally use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [4]) (hardening-check
doesn't catch everything):

    $ hardening-check /usr/bin/loqui
    /usr/bin/loqui:
     Position Independent Executable: yes
     Stack protected: yes
     Fortify Source functions: no, only unprotected functions found!
     Read-only relocations: yes
     Immediate binding: yes

Even though the "Fortify Source functions" are now correctly
passed, they are not used at the moment. But that's fine.

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
[4]: http://ruderich.org/simon/blhc/
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Description: Use build flags from environment (dpkg-buildflags).
 Necessary for hardening flags.
Author: Simon Ruderich <si...@ruderich.org>
Last-Update: 2012-05-27

--- loqui-0.5.3.orig/libloqui/Makefile.am
+++ loqui-0.5.3/libloqui/Makefile.am
@@ -25,7 +25,7 @@ add-built-sources-to-bzr-ignore:
 SUBDIRS = . protocols
 
 INCLUDES = $(GLIB_CFLAGS) $(GNET_CFLAGS) $(EXTRA_WARNING_CFLAGS) -I$(includedir) -I$(top_srcdir) -DG_LOG_DOMAIN=\"libloqui\"
-CPPFLAGS = -g -Wall -Wredundant-decls -Wmissing-declarations -Wmissing-prototypes
+CPPFLAGS += -g -Wall -Wredundant-decls -Wmissing-declarations -Wmissing-prototypes
 
 %.c %.h %-private.h: %.gob
 	gob2 --always-private-header $<
--- loqui-0.5.3.orig/libloqui/protocols/jabber/Makefile.am
+++ loqui-0.5.3/libloqui/protocols/jabber/Makefile.am
@@ -24,7 +24,7 @@ add-built-sources-to-bzr-ignore:
 
 INCLUDES = $(GLIB_CFLAGS) $(GNET_CFLAGS) $(EXTRA_WARNING_CFLAGS) -I$(includedir) -I$(top_srcdir) -DG_LOG_DOMAIN=\"libloqui\"
 
-CPPFLAGS = -g -Wall -Wredundant-decls -Wmissing-declarations -Wmissing-prototypes
+CPPFLAGS += -g -Wall -Wredundant-decls -Wmissing-declarations -Wmissing-prototypes
 
 %.c %.h %-private.h: %.gob
 	gob2 --always-private-header $<
--- loqui-0.5.3.orig/src/Makefile.am
+++ loqui-0.5.3/src/Makefile.am
@@ -40,7 +40,7 @@ endif
 bin_PROGRAMS = loqui
 
 INCLUDES = -I$(includedir) -I$(top_srcdir)/libloqui -I$(top_builddir)/libloqui -I$(top_srcdir) -I$(top_builddir) -DG_LOG_DOMAIN=\"Loqui\"
-CPPFLAGS =  $(GTK_CFLAGS) $(EXTRA_WARNING_CFLAGS) -g -DDATADIR=\""$(datadir)"\" $(GNET_CFLAGS) -Wall -Wredundant-decls -Wmissing-declarations -Wmissing-prototypes
+CPPFLAGS +=  $(GTK_CFLAGS) $(EXTRA_WARNING_CFLAGS) -g -DDATADIR=\""$(datadir)"\" $(GNET_CFLAGS) -Wall -Wredundant-decls -Wmissing-declarations -Wmissing-prototypes
 
 
 loqui_SOURCES = \

signature.asc
Description: Digital signature