Source: krb5
Severity: important
Tags: patch
The hardened build flags are not fully enabled for krb5, fortified
source functions are missing. See for example the KDC binary:
root@pisco:~# hardening-check /usr/sbin/krb5kdc
/usr/sbin/krb5kdc:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: no, no protected functions found!
Read-only relocations: yes
Immediate binding: no not found!
The reason is that you're overwriting CPPFLAGS. Attached
patches fixes this.
(dpkg-buildflags abides "noopt" from DEB_BUILD_OPTIONS)
Cheers,
Moritz
diff -aur krb5-1.10+dfsg~alpha2.orig/debian/rules krb5-1.10+dfsg~alpha2/debian/rules
--- krb5-1.10+dfsg~alpha2.orig/debian/rules 2011-12-27 13:43:05.000000000 +0100
+++ krb5-1.10+dfsg~alpha2/debian/rules 2011-11-10 21:16:17.000000000 +0100
@@ -25,17 +25,7 @@
export DEB_HOST_MULTIARCH
-CCOPTS=-g
-ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
- CCOPTS +=-O0
-else
- CCOPTS +=-O2
-endif
-
-ifneq (,$(filter i486-linux-gnu x86_64-linux-gnu,$(DEB_HOST_GNU_TYPE)))
- CCOPTS +=-D_FORTIFY_SOURCE=2 -fstack-protector
- endif
-FLAGS=$(shell dpkg-buildflags --export=configure ||echo CFLAGS="$(CCOPTS)")
+DEB_CPPFLAGS_MAINT_APPEND=-D_REENTRANT
ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
NUMJOBS = -j$(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
@@ -63,7 +53,7 @@
| xargs touch
[ ! -f $(DEB_HOST_GNU_TYPE).cache ] \
|| cp $(DEB_HOST_GNU_TYPE).cache build/
- cd build && $(FLAGS) ../src/configure CPPFLAGS=" -D_REENTRANT" \
+ cd build && ../src/configure $(shell dpkg-buildflags --export=configure) \
--prefix=/usr --localstatedir=/etc --mandir=/usr/share/man \
--with-system-et --with-system-ss --disable-rpath \
--enable-shared --with-ldap --without-tcl \
Nur in krb5-1.10+dfsg~alpha2/debian: rules~.
