Bug#655139: Please enabled hardened build flags

Sat, 26 May 2012 18:03:18 -0700 

reopen 655139
thanks

Dear Maintainer,

The CPPFLAGS hardening flags are still missing because they are
ignored by the build system. For more hardening information
please have a look at [1], [2] and [3].

The following patch fixes the issue.

diff -Nru openswan-2.6.37/debian/rules openswan-2.6.37/debian/rules
--- openswan-2.6.37/debian/rules        2012-05-17 16:08:37.000000000 +0200
+++ openswan-2.6.37/debian/rules        2012-05-27 02:52:57.000000000 +0200
@@ -13,6 +13,11 @@
 DEB_CXXFLAGS_MAINT_APPEND=-fno-strict-aliasing
 include /usr/share/dpkg/buildflags.mk
 
+# The build system doesn't respect CPPFLAGS, pass them to CFLAGS/CXXFLAGS to
+# enable the missing (hardening) flags.
+CFLAGS   += $(CPPFLAGS)
+CXXFLAGS += $(CPPFLAGS)
+
 build-arch: build
 build-indep: build
 build: build-stamp

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [4]) (hardening-check
doesn't catch everything):

    $ hardening-check /usr/lib/ipsec/pf_key /usr/lib/ipsec/klipsdebug 
/usr/lib/ipsec/tncfg /usr/lib/ipsec/spigrp ...
    /usr/lib/ipsec/pf_key:
     Position Independent Executable: yes
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: yes
    /usr/lib/ipsec/klipsdebug:
     Position Independent Executable: yes
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: yes
    /usr/lib/ipsec/tncfg:
     Position Independent Executable: yes
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: yes
    /usr/lib/ipsec/spigrp:
     Position Independent Executable: yes
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: yes
    ...

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
[4]: http://ruderich.org/simon/blhc/
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Attachment: signature.asc
Description: Digital signature

Reply via email to