Package: unbound Version: 1.4.20-1 Severity: normal Tags: patch Dear Maintainer,
The unbound/libunbound2 package have some hardening options enabled but they are missing PIE/BINDNOW as shown here: $ hardening-check /usr/lib/x86_64-linux-gnu/libunbound.so.2.1.5 /usr/sbin/unbound /usr/lib/x86_64-linux-gnu/libunbound.so.2.1.5: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no, not found! /usr/sbin/unbound: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no, not found! The attached patch enables PIE and BINDNOW and the resulting binary/lib tested OK. Regards, Simon Deziel -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages unbound depends on: ii adduser 3.113+nmu3 ii libc6 2.17-3 ii libevent-2.0-5 2.0.19-stable-3 ii libgcc1 1:4.8.0-7 ii libldns1 1.6.13-4+b1 ii libpython2.7 2.7.5-4 ii libssl1.0.0 1.0.1e-2 ii openssl 1.0.1e-2 ii unbound-anchor 1.4.20-1 unbound recommends no packages. unbound suggests no packages. -- no debconf information
--- unbound-1.4.20.orig/debian/rules 2013-04-13 16:40:27.000000000 -0400 +++ unbound-1.4.20/debian/rules 2013-05-25 16:39:38.042546104 -0400 @@ -4,10 +4,9 @@ DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) LIBRARY = libunbound2 -CFLAGS = `dpkg-buildflags --get CFLAGS` -CFLAGS += -fPIC -LDFLAGS = `dpkg-buildflags --get LDFLAGS` -CPPFLAGS = `dpkg-buildflags --get CPPFLAGS` +export DEB_BUILD_MAINT_OPTIONS = hardening=+all +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/buildflags.mk clean: dh clean
