Bug#760699: Hardened build flags not fully enabled

Sat, 06 Sep 2014 18:46:08 -0700 

Package: apt-cacher-ng
Version: 0.7.27-1
Severity: important
Tags: patch
User: hardening-disc...@lists.alioth.debian.org
Usertags: goal-hardening

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

Please find attached a patch that enable all hardening flags in your
package.

Although apt-cacher-ng use dh/9, CPPFLAGS (fortify) was not enabled.
Besides since debhelper 0.9.20120417 handle the workaround appending
CPPFLAGS to CXXFLAGS, i still had to do (i've not investigated though).
I've also enabled the optionals pie and bindnow.

After the build i've made some tests (apt-get update && apt-get install
$package through apt-cacher-ng) which confirm that it won't break
anything (at least at first glance).

Finally, i've made the build verbose to let blhc see if all flags are
enabled in the future.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUC7d3AAoJEJmGUYuaqqClvoQP/i9rbzn23sH9w9T4Xo9R4BnO
KbkIth35qiy13mj+X2ryS4L7arrCGZkCmGDM/Cd//CY5DiuoSrsXQvE8yfWHOd1n
EZ9TIt5ksJkrrfFLcHyJefwqCwD+k/hEQ6s0h3qUml8BTQPvnOGw0ZiquuT0j8Mj
Zn0HnIxxbpI8qcElQsQVRPK2EBmPMd/BGxTJPjlCITVxfTt8StZqPr+8zv+ScWx7
IpKwLsZWIFeFQsI1UUSVlYo9fjUgc+LJTvFLMfowYRGfVmptsxuyFgzEW6bvBvV9
NurWIDVtGisZLLQVati0P3/grJmWLk3gqGBvTBk56cBLtO7QzKULQ9ZbkO99cHh8
4yjjil2ziXrGU85wTjSjWPkkyx1CtbTm7eyE/10SiSKjhp5M7TbWyjIuAjOlrysB
9uJQ9iIrxyoYDoyorTwju80jo4dlmPCBLdbuDnl6nQC+vPS/GTXVj9H7m7n1KHdB
TvDa1GqvJaJevYT+Nvm4kc4n1FIpWry64Dgd8wroV16zUFU04MFfdO6oIEX9q8f0
8jn0+OOs42pZXFVp7SycR/qLd7o6/HDIqNi/6LQCwOqWGk1HK0bq3gqHKLwY099U
bXY1Lem/pkyp+WrFhhIsQpvGtgMpkiYgTs4PPqUdDJaCTsffP93YHgpaoKZJ00/l
Ouj5qQrm72NJjl0Y+K3E
=ylIF
-----END PGP SIGNATURE-----

diff -Nru apt-cacher-ng-0.7.27/debian/rules apt-cacher-ng-0.7.27/debian/rules
--- apt-cacher-ng-0.7.27/debian/rules	2014-07-17 21:35:38.000000000 +0200
+++ apt-cacher-ng-0.7.27/debian/rules	2014-09-07 02:55:35.000000000 +0200
@@ -3,9 +3,16 @@
 TGT=$(CURDIR)/debian/apt-cacher-ng
 CDIR=$(TGT)/etc/apt-cacher-ng
 
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+# cmake doesn't follow CPPFLAGS, see #653916
+CXXFLAGS+=$(CPPFLAGS)
+
 %:
 	dh $@ --parallel --with systemd
 
+override_dh_auto_build:
+	dh_auto_build -- VERBOSE=1
+
 override_dh_install:
 	dh_install $(test -e build/acngfs || echo -Xacngfs)
 	cp systemd/apt-cacher-ng.service debian

Reply via email to