Bug#690040: freeipmi: Build with PIE, bindnow, openfiles with O_EXCL and check return status

Dave Walker (Daviey) Tue, 09 Oct 2012 05:30:24 -0700

Package: freeipmi
Version: 1.1.5-3
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu quantal ubuntu-patch





In Ubuntu, the attached patch was applied to achieve the following:


  * debian/rules: Build with "-pie,-bindnow"
  * debian/patches/0002_excel_when_opening_tmp.patch: Open files with O_EXCL.
  * debian/patches/fix-Wunused-result.patch: Resolve -Wunused-result's 
    warnings, by checking for non-0 return. 

I'm not sure fix-Wunused-result.patch adds any value to the latest experimental 
package.

Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers quantal-updates
  APT policy: (500, 'quantal-updates'), (500, 'quantal-security'), (500, 
'quantal')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.5.0-10-generic (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru freeipmi-1.1.5/debian/changelog freeipmi-1.1.5/debian/changelog
diff -Nru freeipmi-1.1.5/debian/patches/0002_excel_when_opening_tmp.patch freeipmi-1.1.5/debian/patches/0002_excel_when_opening_tmp.patch
--- freeipmi-1.1.5/debian/patches/0002_excel_when_opening_tmp.patch	1970-01-01 01:00:00.000000000 +0100
+++ freeipmi-1.1.5/debian/patches/0002_excel_when_opening_tmp.patch	2012-10-07 20:17:11.000000000 +0100
@@ -0,0 +1,26 @@
+Index: freeipmi-1.1.5/libipmiconsole/ipmiconsole_debug.c
+===================================================================
+--- freeipmi-1.1.5.orig/libipmiconsole/ipmiconsole_debug.c	2012-05-17 15:08:55.000000000 -0400
++++ freeipmi-1.1.5/libipmiconsole/ipmiconsole_debug.c	2012-10-02 10:32:04.755269452 -0400
+@@ -84,7 +84,7 @@
+                 IPMICONSOLE_DEBUG_DIRECTORY,
+                 IPMICONSOLE_DEBUG_FILENAME);
+ 
+-      if ((console_debug_fd = open (filename, O_CREAT | O_APPEND | O_WRONLY, 0600)) < 0)
++      if ((console_debug_fd = open (filename, O_CREAT | O_APPEND | O_WRONLY | O_EXCL, 0600)) < 0)
+         {
+           console_debug_flags &= ~IPMICONSOLE_DEBUG_FILE;
+           IPMICONSOLE_DEBUG (("open: %s", strerror (errno)));
+Index: freeipmi-1.1.5/libipmiconsole/ipmiconsole_ctx.c
+===================================================================
+--- freeipmi-1.1.5.orig/libipmiconsole/ipmiconsole_ctx.c	2012-05-17 15:08:55.000000000 -0400
++++ freeipmi-1.1.5/libipmiconsole/ipmiconsole_ctx.c	2012-10-02 10:34:50.559273698 -0400
+@@ -351,7 +351,7 @@
+                 c->config.hostname);
+ 
+       if ((c->debug.debug_fd = open (filename,
+-                                     O_CREAT | O_APPEND | O_WRONLY,
++                                     O_CREAT | O_APPEND | O_WRONLY | O_EXCL,
+                                      0600)) < 0)
+         {
+           c->config.debug_flags &= ~IPMICONSOLE_DEBUG_FILE;
diff -Nru freeipmi-1.1.5/debian/patches/fix-Wunused-result.patch freeipmi-1.1.5/debian/patches/fix-Wunused-result.patch
--- freeipmi-1.1.5/debian/patches/fix-Wunused-result.patch	1970-01-01 01:00:00.000000000 +0100
+++ freeipmi-1.1.5/debian/patches/fix-Wunused-result.patch	2012-10-09 12:27:26.000000000 +0100
@@ -0,0 +1,54 @@
+Description: Resolve -Wunused-result's warnings, by checking for non-0 return.
+ Patch not upstreamed, as trunk has refactored this case out.
+Author: Dave Walker (Daviey) <davewal...@ubuntu.com>
+Forwarded: not-needed
+
+--- a/bmc-watchdog/bmc-watchdog.c
++++ b/bmc-watchdog/bmc-watchdog.c
+@@ -1692,7 +1692,8 @@
+         {
+           /* parent terminates */
+           char buf;
+-          read(fds[0], &buf, 1);
++          if (read(fds[0], &buf, 1) < 0)
++            _err_exit ("read: %s", strerror (errno));
+           close(fds[1]);
+           close(fds[0]);
+           exit (0);
+@@ -1718,7 +1719,8 @@
+ 
+       umask (0);
+ 
+-      write(fds[1], "a", 1);
++      if (write(fds[1], "a", 1) < 0)
++        _err_exit ("write: %s", strerror (errno));
+       close(fds[1]);
+       close(fds[0]);
+       for (i = 0; i < 64; i++)
+--- a/ipmidetectd/ipmidetectd.c
++++ b/ipmidetectd/ipmidetectd.c
+@@ -69,7 +69,8 @@
+     {
+       /* Terminate Parent */
+       char buf;
+-      read(fds[0], &buf, 1);
++      if (read(fds[0], &buf, 1) < 0)
++        IPMIDETECTD_EXIT (("read: %s", strerror (errno)));
+       close(fds[1]);
+       close(fds[0]);
+       exit (0);
+@@ -86,10 +87,12 @@
+   if (pid != 0)                 /* Terminate 1st Child */
+     exit (0);
+ 
+-  chdir ("/");
++  if (chdir ("/") < 0)
++    IPMIDETECTD_EXIT (("chdir: %s", strerror (errno)));
+ 
+   umask (0);
+-  write(fds[1], "a", 1);
++  if (write(fds[1], "a", 1) < 0)
++    IPMIDETECTD_EXIT (("write: %s", strerror (errno)));
+   close(fds[1]);
+   close(fds[0]);
+ 
diff -Nru freeipmi-1.1.5/debian/patches/series freeipmi-1.1.5/debian/patches/series
--- freeipmi-1.1.5/debian/patches/series	2012-06-15 02:41:57.000000000 +0100
+++ freeipmi-1.1.5/debian/patches/series	2012-10-07 22:17:30.000000000 +0100
@@ -1,3 +1,5 @@
 up_fixmanpages
 deb_bmc-watchdog_noRUN
 0001-Fix-Wformat-security-warnings.patch
+0002_excel_when_opening_tmp.patch
+fix-Wunused-result.patch
diff -Nru freeipmi-1.1.5/debian/rules freeipmi-1.1.5/debian/rules
--- freeipmi-1.1.5/debian/rules	2012-06-15 02:41:57.000000000 +0100
+++ freeipmi-1.1.5/debian/rules	2012-10-07 20:17:11.000000000 +0100
@@ -4,6 +4,8 @@
 # We use some bashisms
 SHELL=/bin/bash
 
+export DEB_BUILD_MAINT_OPTIONS=hardening=+pie,+bindnow
+
 # mega rule -- Joey knows how to do the rest
 %:
 	dh $@ --with autotools_dev

Bug#690040: freeipmi: Build with PIE, bindnow, openfiles with O_EXCL and check return status

Reply via email to