Source: openldap Severity: normal Tags: patch User: debian...@lists.debian.org Usertags: hardening
Hardening options is a proposed release goal for Wheezy [1]. Having important package, interpreters and daemons compiled with the hardening options will add various protections against issues such as stack smashing, predictable locations of values in memory, etc. I have rebuilt the package with hardening options enabled and there was no error (during build, or at runtime). The attached patch adds a minimal modification to the debian/rules file to add support for hardening flags (other methods are available). Note that PIE and bindnow are not enabled by default, and that you can decide to enable this options for additional features (see the following link for details). You can control and enable/disable each hardening flag independently, see http://lists.debian.org/debian-devel-announce/2011/09/msg00001.html for details. Thanks, Pierre [1] http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
--- openldap-2.4.25.orig/debian/rules 2011-10-05 18:56:46.000000000 +0200 +++ openldap-2.4.25/debian/rules 2011-10-05 18:09:23.000000000 +0200 @@ -6,7 +6,10 @@ # want the checks for DFSG-freeness. #DFSG_NONFREE = 1 -CFLAGS = -Wall -g -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/buildflags.mk + +CFLAGS += -Wall -g -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE INSTALL = install INSTALL_FILE = $(INSTALL) -p -o root -g root -m 644 INSTALL_PROGRAM = $(INSTALL) -p -o root -g root -m 755
