Bug#680562: Enable hardening and multiarch

Jeroen Dekkers Fri, 06 Jul 2012 12:27:15 -0700

Package: yate
Version: 4.1.0-1~dfsg-2
Severity: important
Tags: patch

The attached patch enabled hardening by setting the debhelper compat
level 9 and compiling /usr/bin/yate as PIE. The patch also enables
multiarch because that's automatically enabled when changing to compat
level 9.


-- System Information:
Debian Release: wheezy/sid
  APT prefers precise-updates
  APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 
'precise'), (100, 'precise-backports')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-26-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages yate depends on:
pn  adduser       3.113ubuntu2
pn  libc6         2.15-0ubuntu10
pn  libyate4.0.0  <none>
pn  yate-core     <none>

yate recommends no packages.

yate suggests no packages.

commit c0927bd741cd5467df339e2c2f94dc61c90299b5
Author: Jeroen Dekkers <jer...@dekkers.ch>
Date:   Wed Jul 4 01:53:23 2012 +0200

    Switch to debhelper level 9, enables hardening and multiarch

diff --git a/debian/compat b/debian/compat
index 7f8f011..ec63514 100644
--- a/debian/compat
+++ b/debian/compat
@@ -1 +1 @@
-7
+9
diff --git a/debian/control b/debian/control
index edc06d8..ec368ec 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,8 @@ Section: comm
 Priority: optional
 Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org>
 Uploaders: Kilian Krause <kil...@debian.org>, Jose Carlos Garcia Sogo <js...@debian.org>, Mark Purcell <m...@debian.org>, Santiago Garcia Mantinan <ma...@debian.org>, Mikael Magnusson <mi...@users.sourceforge.net>, Faidon Liambotis <parav...@debian.org>, Tzafrir Cohen <tzafrir.co...@xorcom.com>
-Build-Depends: debhelper (>= 8),
+Build-Depends: debhelper (>= 9),
+ dpkg-dev (>= 1.16.1~),
  autotools-dev,
  dh-autoreconf,
  libopenh323-dev | libh323plus-dev (>= 1.22.0~),
@@ -42,6 +43,7 @@ Section: libs
 Replaces: libyate4.0.0
 Conflicts: libyate4.0.0
 Depends: ${shlibs:Depends}, ${misc:Depends}
+Pre-Depends: multiarch-support
 Description: Shared library for YATE
  YATE is a telephony engine aimed at creating a telephony server that
  performs well enough to deal with PBX requirements and also flexible
diff --git a/debian/libyate4.1.0.install b/debian/libyate4.1.0.install
index 50cbbd1..a994e62 100644
--- a/debian/libyate4.1.0.install
+++ b/debian/libyate4.1.0.install
@@ -1 +1 @@
-usr/lib/libyate*.so.*
+usr/lib/*/libyate*.so.*
diff --git a/debian/patches/0002-Compile-daemon-as-PIE.patch b/debian/patches/0002-Compile-daemon-as-PIE.patch
new file mode 100644
index 0000000..fa7d14c
--- /dev/null
+++ b/debian/patches/0002-Compile-daemon-as-PIE.patch
@@ -0,0 +1,20 @@
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -312,7 +312,7 @@
+ 	test -z "$$rev" || echo "$$rev" > packing/revision.txt
+ 
+ %.o: @srcdir@/%.cpp $(MKDEPS) @srcdir@/yatengine.h
+-	$(COMPILE) -c $<
++	$(COMPILE) -fPIE -c $<
+ 
+ @srcdir@/configure: @srcdir@/configure.in
+ 	cd @srcdir@ && ./autogen.sh --silent
+@@ -324,7 +324,7 @@
+ 	./config.status
+ 
+ yate: $(OBJS) $(LIBS) libyate.so
+-	$(LINK) -o $@ $(LIBTHR) $^ @LIBS@
++	$(LINK) -fPIE -pie -o $@ $(LIBTHR) $^ @LIBS@
+ 
+ libyate.so: $(YLIB)
+ 	ln -sf $^ $@
diff --git a/debian/patches/series b/debian/patches/series
index 7bd7b31..fbe0a0a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 warning-unknown-architecture.patch
 0001-Fix-parallel-make-v2.patch
+0002-Compile-daemon-as-PIE.patch
diff --git a/debian/rules b/debian/rules
index 9547703..025de7c 100755
--- a/debian/rules
+++ b/debian/rules
@@ -1,5 +1,9 @@
 #!/usr/bin/make -f
 
+export DEB_BUILD_MAINT_OPTIONS=hardening=+bindnow
+export DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
+
 DEBVERSION:=$(shell head -n 1 debian/changelog \
 		    | sed -e 's/^[^(]*(\([^)]*\)).*/\1/')
 UPVERSION:=$(shell echo $(DEBVERSION) | sed -e 's/^.*://' -e 's/-[0-9.]*$$//' -e 's/~dfsg$$//')
@@ -24,7 +28,7 @@ endif
 config.status: check-ilbc 
 	dh_autoreconf --as-needed
 	dh_auto_configure --\
-		--without-openh323 --disable-ilbc --without-amrnb --without-coredumper --enable-sctp
+		--without-openh323 --disable-ilbc --without-amrnb --without-coredumper --enable-sctp CFLAGS="$(CFLAGS) $(CPPFLAGS)"
 
 build: build-arch build-indep
 
diff --git a/debian/yate-alsa.install b/debian/yate-alsa.install
index cbb98c9..e8a963e 100644
--- a/debian/yate-alsa.install
+++ b/debian/yate-alsa.install
@@ -1 +1 @@
-usr/lib/yate/client/alsachan.yate
+usr/lib/*/yate/client/alsachan.yate
diff --git a/debian/yate-core.install b/debian/yate-core.install
index 750ffc9..ba30a9e 100644
--- a/debian/yate-core.install
+++ b/debian/yate-core.install
@@ -1,6 +1,6 @@
 etc/yate/*.conf
-usr/lib/yate/*.yate
-usr/lib/yate/client/osschan.yate
-usr/lib/yate/client/jabberclient.yate
-usr/lib/yate/sig/
+usr/lib/*/yate/*.yate
+usr/lib/*/yate/client/osschan.yate
+usr/lib/*/yate/client/jabberclient.yate
+usr/lib/*/yate/sig/
 usr/share/yate/data/*
diff --git a/debian/yate-dahdi.install b/debian/yate-dahdi.install
index 7e65580..ce0c362 100644
--- a/debian/yate-dahdi.install
+++ b/debian/yate-dahdi.install
@@ -1,3 +1,3 @@
-usr/lib/yate/server/zapcard.yate
+usr/lib/*/yate/server/zapcard.yate
 etc/yate/zapcard.conf
 
diff --git a/debian/yate-dev.install b/debian/yate-dev.install
index 000eed8..f327619 100644
--- a/debian/yate-dev.install
+++ b/debian/yate-dev.install
@@ -1,5 +1,5 @@
 usr/bin/yate-config
 usr/share/man/man8/yate-config.*
 usr/include/*
-usr/lib/libyate*.so
-usr/lib/pkgconfig/yate.pc
+usr/lib/*/libyate*.so
+usr/lib/*/pkgconfig/yate.pc
diff --git a/debian/yate-mysql.install b/debian/yate-mysql.install
index 3d3cca1..4a76955 100644
--- a/debian/yate-mysql.install
+++ b/debian/yate-mysql.install
@@ -1,2 +1,2 @@
-usr/lib/yate/server/mysqldb.yate
+usr/lib/*/yate/server/mysqldb.yate
 etc/yate/mysqldb.conf
diff --git a/debian/yate-pgsql.install b/debian/yate-pgsql.install
index b545d22..b8dc977 100644
--- a/debian/yate-pgsql.install
+++ b/debian/yate-pgsql.install
@@ -1,2 +1,2 @@
-usr/lib/yate/server/pgsqldb.yate
+usr/lib/*/yate/server/pgsqldb.yate
 etc/yate/pgsqldb.conf
diff --git a/debian/yate-qt4.install b/debian/yate-qt4.install
index b6368c7..3a10f91 100644
--- a/debian/yate-qt4.install
+++ b/debian/yate-qt4.install
@@ -1,5 +1,5 @@
 usr/bin/yate-qt4
-usr/lib/yate/qt4/*.yate
+usr/lib/*/yate/qt4/*.yate
 usr/lib/menu/yate-qt4.menu
 usr/share/applications/yate-qt4.desktop
 etc/yate/yate-qt4.conf
diff --git a/debian/yate-sctp.install b/debian/yate-sctp.install
index 92f4b10..cdf012c 100644
--- a/debian/yate-sctp.install
+++ b/debian/yate-sctp.install
@@ -1,2 +1,2 @@
-usr/lib/yate/server/lksctp.yate
+usr/lib/*/yate/server/lksctp.yate
 
diff --git a/debian/yate.install b/debian/yate.install
index 28a43f6..de6949d 100644
--- a/debian/yate.install
+++ b/debian/yate.install
@@ -1,6 +1,6 @@
 usr/bin/yate
-usr/lib/yate/server/*.yate
-usr/lib/yate/jabber/*.yate
-usr/lib/yate/sip/*.yate
+usr/lib/*/yate/server/*.yate
+usr/lib/*/yate/jabber/*.yate
+usr/lib/*/yate/sip/*.yate
 usr/share/man/man8/yate.*
 etc/yate/yate.conf

Bug#680562: Enable hardening and multiarch

Reply via email to