Bug#764409: Hardening options incomplete

Tue, 07 Oct 2014 14:04:32 -0700 

Package: open-iscsi
Version: 2.0.873+git0.3b4b4500-4
Severity: important
Tags: patch
User: hardening-disc...@lists.alioth.debian.org
Usertags: goal-hardening

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



Hello,

Please consider re-enabling the previous applied
03_hardened-build-flags.patch as open-isci is currently not fully hardened:
missing PIE, relro and bindnow. I've just refreshed the patch to add -fPIC to
the open-isns library (see debdiff attached).

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUNFQlAAoJEJmGUYuaqqClakUP/2aDIgds54yEx9e6sKTmrJbC
ggjcphA1jaI+yxTulMmbfBg3JqtNRC/lYH6FZu7sTnncfcy5CcoSR+fAhEXd5c0Q
C19oT5Y8fFmdBV1w+DgZ9CHZsAdvA+CO+e714WSt7zYnNa+yTSKwJEx3emeRiU3L
zFSb8Gudv/hFKJXxzs9sF3K1ZFiy5NwO0BPf6EFrQbFfb3VQKsVYUpWidnowUkM6
lVC+Ay8PBpwa1WtwvfKbYJ3mCOXCYAQDnK4HqwMW8Rf6U9Vn9F9Qm17nB/VxEgXa
XRvB2ArYqx5kJ+Vz5dUtgNnNL7gfvTuBZdPj7gfKtuNDXkS4/iVA+JV/vLoMQf0j
CxZbA1Ik3uwgH7C13QQH4Lbw9/cUmPHOC4rKX3bSKBoAJx/RyYJTed82dhUYRPRS
+/GA8o9FSkh4LAScoNM7dDpycJqDlGFYvXhgDersWh6MdhaHxUEItIbpWMB1lCSu
cq4A7sUG1Tu0OqG6y0T7CMB3diuOxTZPFd08LWCb5mvfS/7FE+9tWlvmUV6Rw3gu
H6tR4oNGBVMS/nC8Ow8OY2kl/2pk50IS/tQ2PQAFdXltGPI14PZTnHS2V4tEX8Ph
sySUGzdfhHl5+E74aqrMPREwVnQF1C5+2r5xjrepPQhIHdmXBDjaj0f1exCUrIPP
cZoN/RkycWxwGCA/10xl
=MOee
-----END PGP SIGNATURE-----

diff -Nru open-iscsi-2.0.873+git0.3b4b4500/debian/changelog open-iscsi-2.0.873+git0.3b4b4500/debian/changelog
--- open-iscsi-2.0.873+git0.3b4b4500/debian/changelog	2014-09-01 11:03:23.000000000 +0200
+++ open-iscsi-2.0.873+git0.3b4b4500/debian/changelog	2014-10-07 22:48:32.000000000 +0200
@@ -1,3 +1,11 @@
+open-iscsi (2.0.873+git0.3b4b4500-4.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Re-enable 03_hardened-build-flags.patch and refresh it to enable -dPIC
+    to utils/open-isns lib.
+
+ -- Guillaume Delacour <g...@iroqwa.org>  Sun, 21 Sep 2014 12:06:00 +0200
+
 open-iscsi (2.0.873+git0.3b4b4500-4) unstable; urgency=medium
 
   * [41c7eca] Introduce new architectures based on current build
diff -Nru open-iscsi-2.0.873+git0.3b4b4500/debian/patches/03_hardened-build-flags.patch open-iscsi-2.0.873+git0.3b4b4500/debian/patches/03_hardened-build-flags.patch
--- open-iscsi-2.0.873+git0.3b4b4500/debian/patches/03_hardened-build-flags.patch	2014-08-20 15:53:55.000000000 +0200
+++ open-iscsi-2.0.873+git0.3b4b4500/debian/patches/03_hardened-build-flags.patch	2014-10-07 22:45:27.000000000 +0200
@@ -1,9 +1,9 @@
 hardened build flags - wheezy release goal
-Index: open-iscsi/usr/Makefile
+Index: open-iscsi-2.0.873+git0.3b4b4500/usr/Makefile
 ===================================================================
---- open-iscsi.orig/usr/Makefile	2013-11-05 20:56:40.013418719 +0530
-+++ open-iscsi/usr/Makefile	2013-11-05 20:56:40.009418719 +0530
-@@ -28,7 +28,7 @@
+--- open-iscsi-2.0.873+git0.3b4b4500.orig/usr/Makefile
++++ open-iscsi-2.0.873+git0.3b4b4500/usr/Makefile
+@@ -28,7 +28,7 @@ IPC_OBJ=ioctl.o
  endif
  endif
  
@@ -12,7 +12,7 @@
  WARNFLAGS ?= -Wall -Wstrict-prototypes
  CFLAGS += $(OPTFLAGS) $(WARNFLAGS) -I../include -I. -I../utils/open-isns \
  				-D$(OSNAME) $(IPC_CFLAGS)
-@@ -55,14 +55,14 @@
+@@ -55,14 +55,14 @@ all: $(PROGRAMS)
  
  iscsid: $(ISCSI_LIB_SRCS) $(INITIATOR_SRCS) $(DISCOVERY_SRCS) \
  	iscsid.o session_mgmt.o discoveryd.o
@@ -30,10 +30,10 @@
  clean:
  	rm -f *.o $(PROGRAMS) .depend $(LIBSYS)
  
-Index: open-iscsi/utils/Makefile
+Index: open-iscsi-2.0.873+git0.3b4b4500/utils/Makefile
 ===================================================================
---- open-iscsi.orig/utils/Makefile	2013-11-05 20:56:40.013418719 +0530
-+++ open-iscsi/utils/Makefile	2013-11-05 20:56:40.009418719 +0530
+--- open-iscsi-2.0.873+git0.3b4b4500.orig/utils/Makefile
++++ open-iscsi-2.0.873+git0.3b4b4500/utils/Makefile
 @@ -1,12 +1,12 @@
  # This Makefile will work only with GNU make.
  
@@ -49,3 +49,16 @@
  
  clean:
  	rm -f *.o $(PROGRAMS) .depend
+Index: open-iscsi-2.0.873+git0.3b4b4500/utils/open-isns/Makefile.in
+===================================================================
+--- open-iscsi-2.0.873+git0.3b4b4500.orig/utils/open-isns/Makefile.in
++++ open-iscsi-2.0.873+git0.3b4b4500/utils/open-isns/Makefile.in
+@@ -13,7 +13,7 @@ VARDIR	= $(INSTALL_ROOT)$(vardir)
+ 
+ CC	= @CC@
+ CPPFLAGS= @CPPFLAGS@
+-CFLAGS	= @CFLAGS@ -I.
++CFLAGS	= @CFLAGS@ -I. -fPIC
+ LDFLAGS	= @LDFLAGS@
+ 
+ LIB	= libisns.a
diff -Nru open-iscsi-2.0.873+git0.3b4b4500/debian/patches/series open-iscsi-2.0.873+git0.3b4b4500/debian/patches/series
--- open-iscsi-2.0.873+git0.3b4b4500/debian/patches/series	2014-08-20 15:53:55.000000000 +0200
+++ open-iscsi-2.0.873+git0.3b4b4500/debian/patches/series	2014-10-07 21:42:37.000000000 +0200
@@ -1,4 +1,5 @@
 01_spelling-errors-and-manpage-hyphen-fixes.patch
 02_make-iscsistart-a-dynamic-binary.patch
+03_hardened-build-flags.patch
 04_fix_iscsi_path.patch
 05-disable-iscsiuio.patch
diff -Nru open-iscsi-2.0.873+git0.3b4b4500/debian/rules open-iscsi-2.0.873+git0.3b4b4500/debian/rules
--- open-iscsi-2.0.873+git0.3b4b4500/debian/rules	2014-08-20 15:53:55.000000000 +0200
+++ open-iscsi-2.0.873+git0.3b4b4500/debian/rules	2014-10-07 22:26:59.000000000 +0200
@@ -69,6 +69,7 @@
 
 	# Add here commands to clean up after the build process.
 	$(MAKE) -C utils/fwparam_ibft clean
+	[ ! -f utils/open-isns/Makefile ] || $(MAKE) -C utils/open-isns clean
 	$(MAKE) -C usr clean
 	$(MAKE) -C utils clean
 	rm -rf modules

Reply via email to