Package: nasm Version: 2.10.01-1 Severity: normal Tags: patch Dear Maintainer,
The CPPFLAGS hardening flags are missing because they are ignored
by the build system. For more hardening information please have a
look at [1], [2] and [3].
The following patch fixes the issue.
dpkg-buildflags (used by buildflags.mk) automatically takes care
of debug in DEB_BUILD_OPTIONS and passes -O2 by default.
Therefore I removed it in the patch.
diff -Nru nasm-2.10.01/debian/rules nasm-2.10.01/debian/rules
--- nasm-2.10.01/debian/rules 2012-06-14 03:11:20.000000000 +0200
+++ nasm-2.10.01/debian/rules 2012-07-13 17:22:10.000000000 +0200
@@ -4,10 +4,8 @@
DPKG_EXPORT_BUILDFLAGS = 1
include /usr/share/dpkg/buildflags.mk
-CFLAGS += -O2
-ifneq ($(findstring debug,$(DEB_BUILD_OPTIONS)),)
-CFLAGS += -g
-endif
+# The build system ignores CPPFLAGS, pass them through CFLAGS instead.
+CFLAGS += $(CPPFLAGS)
clean:
dh_testdir
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log with `blhc` (hardening-check doesn't catch
everything):
$ hardening-check /usr/bin/rdf2bin /usr/bin/rdflib /usr/bin/rdx
/usr/bin/ldrdf ...
/usr/bin/rdf2bin:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/bin/rdflib:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/bin/rdx:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/bin/ldrdf:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
...
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature
