Bug#666767: libnet-dns-perl: Please build with hardening flags

Sat, 08 Sep 2012 12:24:16 -0700 

Package: libnet-dns-perl
Version: 0.66-2+b2
Followup-For: Bug #666767

reopen 666767
tags 666767 patch
thanks

Dear Maintainer,

The CPPFLAGS hardening flags are still missing because they are
not set in debian/rules. For more hardening information please
have a look at [1], [2] and [3].

The following patch fixes the issue.

diff -Nru libnet-dns-perl-0.68/debian/rules libnet-dns-perl-0.68/debian/rules
--- libnet-dns-perl-0.68/debian/rules   2012-08-22 20:36:19.000000000 +0200
+++ libnet-dns-perl-0.68/debian/rules   2012-09-08 21:03:32.000000000 +0200
@@ -43,7 +43,7 @@
 
        # COMPRESS='gzip -9'
 
-       $(MAKE) OPTIMIZE="$(CFLAGS)" OTHERLDFLAGS="$(LDFLAGS)"
+       $(MAKE) OPTIMIZE="$(CFLAGS) $(CPPFLAGS)" OTHERLDFLAGS="$(LDFLAGS)"
                # CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)"
                # OPTIMIZE="$(CFLAGS)"
 

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log with `blhc` (hardening-check doesn't catch
everything):

    $ hardening-check /usr/lib/perl5/auto/Net/DNS/DNS.so 
/usr/lib/perl5/auto/Net/DNS/DNS.so
    /usr/lib/perl5/auto/Net/DNS/DNS.so:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: yes
     Fortify Source functions: unknown, no protectable libc functions used
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/lib/perl5/auto/Net/DNS/DNS.so:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: yes
     Fortify Source functions: unknown, no protectable libc functions used
     Read-only relocations: yes
     Immediate binding: no not found!

(The flags are passed correctly with the patch, even if the
"Fortify Source functions" message doesn't state it.)

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Attachment: signature.asc
Description: Digital signature

Reply via email to