Bug#688647: lifeograph: CXXFLAGS hardening flags missing

[Simon Ruderich]

Package: lifeograph
Version: 0.9.0.dfsg-1
Severity: normal
Tags: patch

Dear Maintainer,

The following CXXFLAGS hardening flags are missing because they
are not set correctly in debian/rules and makefile.debian:

    CXXFLAGS missing (-g -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security): g++ -c src/dialog_export.cpp -Wall `pkg-config 
gtkmm-3.0 gtkspell-3.0 --cflags`-DHAVE_CONFIG_H -I./build/include 
-D_FORTIFY_SOURCE=2  -fPIC -O2 -o build/o/dialog_export.o
    CXXFLAGS missing (-g -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security): g++ -c src/dialog_password.cpp -Wall `pkg-config 
gtkmm-3.0 gtkspell-3.0 --cflags`-DHAVE_CONFIG_H -I./build/include 
-D_FORTIFY_SOURCE=2  -fPIC -O2 -o build/o/dialog_password.o
    CXXFLAGS missing (-g -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security): g++ -c src/dialog_preferences.cpp -Wall `pkg-config 
gtkmm-3.0 gtkspell-3.0 --cflags`-DHAVE_CONFIG_H -I./build/include 
-D_FORTIFY_SOURCE=2  -fPIC -O2 -o build/o/dialog_preferences.o
    [...]

For more hardening information please have a look at [1], [2] and
[3].

CPPFLAGS is not used for C++ flags, but for preprocessor flags
(cpp, e.g. -D_FORTIFY_SOURCE=2). C++ flags are passed in
CXXFLAGS.

The attached patches fix the issue. The first is a revised
version of use_environmental_build_flags.patch, the second fixes
debian/rules.

The first patch uses := ... $(CXXFLAGS) to overwrite the flags
from pkg-config which might not contain the correct flags, +=
would overwrite the flags in CXXFLAGS. := is necessary because
CXXFLAGS is used in its definition.

The second patch also removes some unnecessary settings.
buildflags.mk already sets all the *FLAGS variables by calling
dpkg-buildflags, therefore it's not necessary to call
dpkg-buildflags again. dpkg-buildflags automatically adds -g and
takes care of -O2 (and respects noopt). The patch also appends
CPPFLAGS to CXXFLAGS because the build systems doesn't use
CPPFLAGS. -fPIC is not necessary because hardening=+all already
passes -fPIE (the equivalent for binaries).

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log with `blhc` (hardening-check doesn't catch
everything):

    $ hardening-check /usr/bin/lifeograph
    /usr/bin/lifeograph:
     Position Independent Executable: yes
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: yes

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Description: use CPPFLAGS and LDFLAGS from environment
 Use normal build flags from environment, not only upstream similarly named
 ones.
Author: Laszlo Boszormenyi (GCS) <g...@debian.hu>
Last-Update: 2012-09-24

---

Index: lifeograph-0.9.0.dfsg/makefile.debian
===================================================================
--- lifeograph-0.9.0.dfsg.orig/makefile.debian	2012-07-08 08:33:22.000000000 +0200
+++ lifeograph-0.9.0.dfsg/makefile.debian	2012-09-24 16:00:49.796847080 +0200
@@ -55,11 +55,12 @@
 BUIBINDIR   = $(BUIDIR)/bin
 BIN         = $(BUIBINDIR)/$(PACKAGE)
 
-LINKFLAGS   = -s
+LINKFLAGS   = -s $(LDFLAGS)
 LIBS        = `pkg-config gtkmm-3.0 gtkspell-3.0 --cflags --libs` -lgcrypt -lgpg-error
-CXXFLAGS    = -Wall `pkg-config gtkmm-3.0 gtkspell-3.0 --cflags`-DHAVE_CONFIG_H -I./build/include
+CXXFLAGS    := -Wall `pkg-config gtkmm-3.0 gtkspell-3.0 --cflags`-DHAVE_CONFIG_H -I./build/include $(CXXFLAGS)
 ICONS       = icons
-OPTFLAGS    = -O2
+# Debian passes -O* flags in CXXFLAGS, necessary for noopt.
+OPTFLAGS    =
 
 PREFIX      ?= /usr
 BINDIR      = $(PREFIX)/bin

diff -Nru lifeograph-0.9.0.dfsg/debian/rules lifeograph-0.9.0.dfsg/debian/rules
--- lifeograph-0.9.0.dfsg/debian/rules	2012-07-14 20:03:33.000000000 +0200
+++ lifeograph-0.9.0.dfsg/debian/rules	2012-09-24 16:09:45.000000000 +0200
@@ -11,20 +11,12 @@
 DPKG_EXPORT_BUILDFLAGS = 1
 include /usr/share/dpkg/buildflags.mk
 
-CFLAGS		?= $(shell dpkg-buildflags --get CFLAGS)
-CPPFLAGS	?= $(shell dpkg-buildflags --get CPPFLAGS)
-LDFLAGS		?= $(shell dpkg-buildflags --get LDFLAGS)
-CFLAGS		+= $(HARDENING_CFLAGS)
-CPPFLAGS	+= $(HARDENING_CFLAGS) -fPIC
-LDFLAGS		+= $(HARDENING_LDFLAGS)
+CXXFLAGS += -Wall
+# The build system doesn't respect CPPFLAGS, pass them in CXXFLAGS instead.
+CXXFLAGS += $(CPPFLAGS)
 
 package = lifeograph
 CC = gcc
-CFLAGS += -g -Wall
-
-ifeq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
-  CFLAGS += -O2
-endif
 
 
 clean: 

signature.asc
Description: Digital signature