On Thu, Jan 5, 2012 at 10:46 PM, Moritz Muehlenhoff <j...@debian.org> wrote: > Source: firebird2.5 > Severity: important > > Hi, > I'm currently checking all packages, which had a DSA in the last > year to enable hardened build flags. firebird2.5 has already been > updated to use dpkg-buildflags, but I noticed that not all flags > are fully in effect. You can use the hardening-check scripts from > the package hardening includes: > > Out of the three hardening features from the Wheezy default set > (protected stack, fortified source and relro) not all are fully > applied, e.g. > > root@pisco:~# hardening-check /usr/sbin/fb_inet_server > /usr/sbin/fb_inet_server: > Stack protected: no, not found! > Fortify Source functions: unknown, no protectable libc functions used > Read-only relocations: yes > > root@pisco:~# hardening-check /usr/bin/fbsvcmgr > /usr/bin/fbsvcmgr: > Stack protected: yes > Fortify Source functions: no, no protected functions found! > Read-only relocations: yes > > root@pisco:~# hardening-check /usr/lib/x86_64-linux-gnu/libfbclient.so.2.5.2 > /usr/lib/x86_64-linux-gnu/libfbclient.so.2.5.2: > Stack protected: yes > Fortify Source functions: no, no protected functions found! > Read-only relocations: yes > > The reason is likely that some parts of Firebird build system hardcode > specific flags, which nullify the hardened build flags?
Weird that firebird2.5-superclassic in ubuntu lucid shows hardening-check /usr/sbin/fb_smp_server /usr/sbin/fb_smp_server /usr/sbin/fb_smp_server: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes Read-only relocations: yes Immediate binding: no, not found! hardening-check /usr/bin/fbsvcmgr /usr/bin/fbsvcmgr: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes Read-only relocations: yes Immediate binding: no, not found! And is build from Damyan repository filename: pool/main/f/firebird2.5/firebird2.5-superclassic_2.5.1.26351.ds4-2~bpo60+1ubuntu3_amd64.deb http://jimicompot.blogspot.com/2011/11/rebuilding-firebird-251-from-stable-to.html I will try to rebuild from testing also see what's happenning on another sid machine -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
