Bug#652449: elinks: Hardening CPPFLAGS missing, please enable pie and bindnow

Sat, 17 Dec 2011 03:21:23 -0800 

Package: elinks
Version: 0.12~pre5-6
Severity: normal
Tags: patch

Hello,

Hardening flags were only enabled partially in 0.12~pre5-6,
CPPFLAGS is missing. The attached patch fixes this and also
enables pie and bindnow for elinks (builds and works fine for
me). As a browser elinks reads untrusted data and thus the
additional hardening flags are recommended.

Regards,
Simon

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages elinks depends on:
ii  elinks-data       0.12~pre5-6
ii  libbz2-1.0        1.0.6-1
ii  libc6             2.13-23
ii  libcomerr2        1.42-1
ii  libexpat1         2.0.1-7.2
ii  libfsplib0        0.11-2
ii  libgnutls26       2.12.14-4
ii  libgpm2           1.20.4-4
ii  libgssapi-krb5-2  1.10+dfsg~alpha1-6
ii  libidn11          1.23-2
ii  libk5crypto3      1.10+dfsg~alpha1-6
ii  libkrb5-3         1.10+dfsg~alpha1-6
ii  liblua50          5.0.3-6
ii  liblualib50       5.0.3-6
ii  libperl5.14       5.14.2-6
ii  libruby1.8        1.8.7.352-2
ii  libtre5           0.8.0-2
ii  zlib1g            1:1.2.3.4.dfsg-3

elinks recommends no packages.

Versions of packages elinks suggests:
pn  elinks-doc  <none>

-- no debconf information

diff -u elinks-0.12~pre5/debian/rules elinks-0.12~pre5/debian/rules
--- elinks-0.12~pre5/debian/rules
+++ elinks-0.12~pre5/debian/rules
@@ -17,9 +17,14 @@
 DEB_HOST_GNU_TYPE   ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
 DEB_BUILD_GNU_TYPE  ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
 
+# Use hardening flags.
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
 CFLAGS_COMMON=-g
 CFLAGS_COMMON += `dpkg-buildflags --get CFLAGS`
 
+CPPFLAGS_COMMON = `dpkg-buildflags --get CPPFLAGS`
+
 LDFLAGS_COMMON="-Wl,-z,defs"
 LDFLAGS_COMMON += `dpkg-buildflags --get LDFLAGS`
 
@@ -129,11 +134,11 @@
 build-arch-stamp: patch-stamp save-stamp
 	mkdir $(CURDIR)/build-main && cd $(CURDIR)/build-main && \
 		$(CURDIR)/configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) \
-		$(confopts_main) CFLAGS="$(CFLAGS_COMMON)" LDFLAGS="$(LDFLAGS_COMMON)"
+		$(confopts_main) CFLAGS="$(CFLAGS_COMMON)" CPPFLAGS="$(CPPFLAGS_COMMON)" LDFLAGS="$(LDFLAGS_COMMON)"
 	$(MAKE) -C $(CURDIR)/build-main
 	mkdir $(CURDIR)/build-lite && cd $(CURDIR)/build-lite && \
 		$(CURDIR)/configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) \
-		$(confopts_lite) CFLAGS="$(CFLAGS_COMMON) $(CFLAGS_LITE)" LDFLAGS="$(LDFLAGS_COMMON)"
+		$(confopts_lite) CFLAGS="$(CFLAGS_COMMON) $(CFLAGS_LITE)" CPPFLAGS="$(CPPFLAGS_COMMON)" LDFLAGS="$(LDFLAGS_COMMON)"
 	$(MAKE) -C $(CURDIR)/build-lite
 	touch $@

Reply via email to